the problem of cyber-attribution and how it matters for
TRANSCRIPT
The Problem of Cyber-Attribution and How
it Matters for International Law
and Global Security
Leandro Pereira Mendes
(u970343 - 2047809)
June 2020
LLM International Law and Global Governance
Tilburg Law School – Tilburg University
Master’s Thesis supervisor: Prof. dr. Nikolas M. Rajkovic
Master’s Thesis second reader: Prof. dr. Leena K. Grover
Word count: 11.950
2
This thesis is dedicated to my parents, Rosa
Claudia and Marcio, for their love, endless
support, and encouragement.
3
Abstract
The 2007 Estonian attacks illustrate the severity of the threats facing states’ cybersecu-
rity, and the equally important challenge of attributing blame for cyberattacks. Even though
determining the machines that launched a malicious cyber incident is no longer an arduous task
for the most developed states, identifying the individuals, organizations, or governments that
are legally responsible for the attack continues to be extremely difficult. This study argues that,
as it stands now, international law not only fails in effectively dealing with the attribution prob-
lem, but also is unlikely to be instrumental in providing both predictability and stability to
cyberspace in the short and medium-terms. As a result, the cyber domain will continue to be
an environment that offers the perfect conditions for the security dilemma to thrive and in
which incidents – whether intended or not – can trigger off conflicts causing widespread harm
to the whole international security system.
Keywords: cyber-attribution, attribution problem, cybersecurity, security dilemma, interna-
tional security, Tallinn Manual, non-state initiatives.
4
Table of Contents
Abbreviations ........................................................................................................................... 5
Chapter 1 – Introduction ........................................................................................................ 6
Chapter 2 – Realism and the Security Dilemma ................................................................. 14
2.1 What is the security dilemma? ....................................................................................... 15
Chapter 3 – The Attribution Problem ................................................................................. 18
3.1 Why is attribution so difficult? ...................................................................................... 19
3.2 Why does cyber-attribution matter? ............................................................................... 24
Chapter 4 – International Law and Cybersecurity ............................................................ 29
4.1 Leading non-state initiatives .......................................................................................... 34
4.2 The value of soft law ...................................................................................................... 39
Chapter 5 – Conclusion ......................................................................................................... 42
Bibliography ........................................................................................................................... 46
Articles, Reports and Books ................................................................................................. 46
Legal Sources and Official Documents ................................................................................ 53
Websites ............................................................................................................................... 56
5
Abbreviations
ACTMs Antarctic Treaty Consultative Party Meetings
CCD COE Cooperative Cyber Defence Centre of Excellence
CIA Central Intelligence Agency
DDOS Distributed Denial of Service
DNC Democratic National Committee
DNI Director of National Intelligence
GGE Group of Governmental Experts
IAEA International Atomic Energy Agency
ICJ International Court of Justice
ICTs Information and Communication Technologies
ICTY International Criminal Tribunal for the Former Yugoslavia
IHL International Humanitarian Law
ILC International Law Commission
IP Internet Protocol
NATO North Atlantic Treaty Organization
UK United Kingdom
USA United States of America
VCLT Vienna Convention on the Law of Treaties
6
Chapter 1 – Introduction
By providing people across the globe with instant access to information, to communi-
cation, and to novel economic opportunities, cyberspace1 and the rapid development of Infor-
mation and Communication Technologies (ICTs) have essentially transformed not only the
world economy, but also the way of life. Education, health, government, as well as sectors such
as energy, communication, and transportation are inextricably linked to, if not dependent on,
the cyber domain2. As information technology becomes more widespread and integrated into
our daily lives, the probability of compromise by malicious cyber activity increases3. Accord-
ing to the former Director of National Intelligence (DNI) of the United States, more than thirty
countries are developing offensive cyber capabilities, which will rise the incidence of both
standoff and remote operations4. To complicate matters further, these capabilities are progres-
sively under criminal and other non-state actors’ control5. Therefore, cyberattacks6 that deeply
affect international peace and the global economy are no longer “futuristic or far-fetched”, but
rather the reality of cyberspace7.
1 “Cyberspace” is defined by the United States National Military Strategy for Cyberspace Operations as “a domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructure” (United States Department of Defence (DoD), The National Military Strategy for Cyberspace Operations, December 2006,3). Therefore, cyberspace also includes all networked digital operations. 2 Pipyros et al. 2018, 371. 3 Davis II et al. 2017, 1 4 United States Senate 2017, 5. 5 Owens, Dam, and Lin 2009, 27. 6 By cyberattack, I refer to the definition applied by Oona Hathaway et al. as “any action taken to undermine the functions of a computer network for a political or national security purpose” (Hathaway et al. 2012, 826). This definition, however, differs from that used by the U.S. Cyber Command, which identifies cyberattacks as those “that cause physical damage to property or injury to persons.” (Ibid., 821 n.9). Hathaway et al.’s definition also differs from the one offered by the Tallinn Manual on the International Law Applicable to Cyber Warfare, which describe cyberattack as “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects” (Schmitt 2013, 92). It is important to bear in mind that both the Tallinn Manual and the Cyber Command definitions are under-inclusive, particularly consid-ering the Democratic National Committee (DNC) hack, which did not cause physical damage to property or per-sons, but involved the domaine resérvé of the U.S., raising relevant national security concerns about democratic procedures and the violation of the prohibition of intervention. Hathaway et al.’s terminology, on the other hand, covers a broader set of cyberattacks, including attacks such as the DNC hack. In addition, I use the term ‘cyberattack’ instead of ‘cyber warfare’ because the latter refers to a smaller subset of cyberattacks that “constitute armed attacks or that occur in the context of an ongoing armed conflict” (Hath-away et al. 2012, 821). By contrast, the term ‘cyberattack’ embraces a broad range of attacks, from cyber warfare to those attacks that fall short of armed conflict but still deserve some kind of sanction (Tran 2018, 380 n.13). Furthermore, Hathaway and her co-authors make a distinction between cyberattacks and cyberespionage; ac-cording to the they, “neither cyber-espionage nor cyber-exploitation constitutes a cyber-attack because these concepts do not involve altering computer networks in a way that affects their current or future ability to func-tion” (Hathaway et al. 2012, 829). 7 Schmitt and Watts 2016, 596.
7
Following the relocation of a Soviet war memorial in 2007, Estonia was hit by a series
of massive cyberattacks lasting three weeks8. Taking into consideration that the small Baltic
country is one of the most wired societies in Europe9, the Distributed Denial of Service (DDoS)
attacks10 were particularly harmful, resulting in a temporary interruption of service on many
government and commercial websites11 and, thus, profoundly affecting the functioning of the
country’s economy12. Initially, the attacks were attributed to Russia due to the political atmos-
phere at the time, as well as past Russian actions. This explanation, however, was questioned
by technical experts, and even NATO officials were disinclined to assign blame to the Russian
government. Because of disagreements over the links between the attackers and Russia, what
at first appeared to be a pretty obvious case of aggression became a gridlock. Although it is
highly probable that the Russian state launched the cyberattack13, its involvement has never
been proven. Yet, the attack continues to be an example of Russia’s cyber capabilities that
following cyberattacks will be judged by14.
In hindsight, the Estonian attacks were “fairly mild and simple”, far less damaging than
the cyberattacks that have followed15. Even so, they brought cyberspace to the forefront of
international relations discussions, raising awareness among states about the severe risk posed
by the growing dependence on ICTs, as well as the possibility of conflict in this new and unique
environment. Indeed, during the last decade, the international community has witnessed and
experienced a considerable number of problematic episodes in cyberspace – the cyber intrusion
at Sony Pictures Entertainment16, the attack on France’s TV5Monde17, the Democratic National
8 Traynor 2007. 9 By 2007, 98% of Estonian territory was covered with Internet access, and mobile phone penetration was almost 100% (Tikk, Kaska, and Vihul 2010, 17). 10 According to Clark and Landau, DDoS attack is a concerted malevolent effort in which a large number of ma-chines from all over the Internet attack a site or a set of sites in order to disrupt service by overloading a server or a link (Clark and Landau 2011, 6). 11 Dinniss 2014, 38-39. 12 Supra note 8, at 25. 13 Schulzke 2018, 960. 14 Ibid. It is necessary to recognize that this situation poses a threat to international peace since, according to Gomez, the “adversary’s past behaviour may motivate a disproportionate response to pre-empt any further threats” (Gomez 2019, 1-2). 15 Schmitt 2017, xxiii. 16 On November 2014, Sony Pictures’ computers were broken into, and sensitive information from the film stu-dio and unreleased movies were published online, disrupting the company business operations (Davis II et al. 2017, 42). Considering that Sony had produced the movie The Interview, which depicts the assassination of Kim Jong-Un, speculations about North Korean participation were raised (Egloff 2019, 10). Through a press state-ment, North Korea denied responsibility for the cyberattack, but praised the attackers for their actions. As of yet, no one was able to prove North Korean involvement and the evidence implicating it was considered “flimsy” (Zetter 2014b). 17 In April 2015, the French-language television network had its computer infrastructure and social media ac-counts hacked. Initially, the group called Cyber Caliphate, an Islamic State affiliate, claimed responsibility for the
8
Committee (DNC) hack18, to name a few. Almost each of them has illustrated the new interna-
tional status that Lucas Kello calls “unpeace” – a “mid-spectrum rivalry lying below the phys-
ically destructive threshold of interstate violence, but whose harmful effects far surpass the
tolerable level of peacetime competition”19.
Against this background, at the 2016 Defence Ministerial Meeting, the North Atlantic
Treaty Organization (NATO) defence ministers officially recognized cyberspace as a new fron-
tier of warfare20, and that decision was endorsed at the 2016 Warsaw Summit21. Now, the Allies
“recognize cyberspace as a domain of operations in which NATO must defend itself as effec-
tively as it does in the air, on land, and at sea”22. Certainly, the change comes as a response to
the increasing number of cyberattacks against both the organization and its member states. The
threat posed by these attacks even prompted former U.S. Secretary of Homeland Security to
declare that cyberattacks “now exceed the risk of physical attacks” in terms of breadth and
range of possible outcomes23. And such attacks show no sign of decreasing, as the aforemen-
tioned examples demonstrate.
Although the persistence of cyberattacks might be due, in part, to the relative availabil-
ity and fairly low cost of the technology needed to mount an attack24, it might also largely result
from the difficulty in identifying its perpetrators and attributing blame25. The structure of the
Internet, which “was not designed with the goal of deterrence in mind”26, provides the perfect
setting for state and non-state actors to take part in malicious activity unafraid of attribution or
retaliation27. Worse still, aggressors are able to conceal themselves and the full effects of their
operations by using technical mechanisms and/or relying on non-state proxies that they rent or
compromise28. For example, the cyberattacks that hit Estonia originated from at least 177
attacks, but as the investigations began, it became clear that the jihadist group was just a cover-up (Corera 2016). The private company FireEye ultimately attributed the attack to Russian hackers. 18 In 2015, in the middle of the presidential election, the DNC suffered a cyberattack, resulting in the exfiltration of files and emails, many of which were published by WikiLeaks. In 2016, the DNC publicly attributed the attack to two distinct Russian espionage groups, APT28 and APT29 (Egloff 2019, 13). Although it is extremely difficult, if not impossible, to assess the full damage of the cyber intrusion, it is understood to have played a major role in the 58th U.S. presidential election (Davis II et al. 2017, 34). 19 Allison 2018; Banks 2019, 191. 20 Barnes, 2016. 21 Ablon et al. 2019, 1. 22 NATO, Warsaw Summit Communiqué (July 2016), n.70. 23 Nielsen 2018. 24 Payne and Finlay 2017, 556; Boerbert 2010, 43. 25 Tran 2018, 381. 26 Supra note 10, at 1. 27 Supra note 24. 28 Carlin 2016, 409; Carr 2010, 139-40.
9
countries, including from within the Estonian territory29. Evidence has been found that attack-
ers also obscure their identities through the adoption of foreign languages and elements of
malware previously associated with other actors30, and they might even exploit existing ani-
mosities in order to mask their identity and thus hinder attribution efforts31. By way of one
example, the escalating tension between Iran and the United States suggests that both countries
would be unwilling to fully cooperate in the case of a cyberattack, making Iran the perfect
cover-up for third-party states and non-state actors attempting to launch a cyberattack against
the USA and vice versa. It is therefore understood that attributing cyberattacks is vastly time-
consuming and an “inherently interdisciplinary”32 process, requiring great technical and non-
technical expertise and input from a range of actors and sources33. In this regard, taking into
account the effort necessary for its fulfilment, cyber-attribution was considered to be “an art as
much as a science”34.
The Estonian attacks are a prime example of how challenging the attribution of cyberat-
tacks can be; thirteen years have passed and one cannot affirm whether the attacks were offi-
cially sanctioned by the Russian government or whether they were perpetrated by rogue spies
or even by independent nationalistic criminals35. It is important to bear in mind that, in the
cyber domain, attribution differs from punishment36, and it is defined as “identifying the agent
responsible for the action”37. Since cyberattacks have proliferated and become commonplace,
attribution has grown in relevance38. As a result, states have been investing resources and po-
litical capital to develop accountable attribution mechanisms in order to deter potential cyber-
attackers.
In spite of the fact that determining the machines that launched a cyberattack is no
longer an arduous task for the most developed countries, identifying the individuals, organiza-
tions, or governments that are legally responsible for the attack continues to be challenging39.
The attribution of cyberattacks presents unique legal challenges because states were not able
to reach a broad international agreement on how to govern the cyber domain and the current
29 Payne and Finlay 2017, 560. 30 Supra note 12. 31 Ibid; Payne and Finlay 2019, 203. 32 Egloff and Wenger 2019, 3 33 Banks 2017, 1503. 34 Rid and Buchanan 2015, 7. 35 Supra note 12. 36 Lindsay 2015, 57. 37 Supra note 10. 38 Banks 2019, 191. 39 Supra note 38, at 192.
10
international legal framework does little to control cyber operations40. On this matter, Schmitt
and Vihul believe that even if agreement were to be reached on a multilateral binding cyber
treaty, it would probably be undermined by states’ individual reservations41. Similarly, accord-
ing to Mačák, there seems to be a resistance to the codification of international rules applicable
to cyberspace42.
In addition, as cyber operations usually happen in secrecy43, customary international
law is not able to develop understandings or recognize state practice about attributing respon-
sibility for cyberattacks44. Further complicating the issue, governments have been unwilling to
clearly express opinio juris on topics associated with the cyber domain45. This attitude might
be the result of a domestic political deadlock, a calculated waiting strategy46, or even the prod-
uct of the “cybersecurity knowledge gap”47. Nevertheless, this state reticence contributes to the
enduring ambiguity of international cyber law48. It is also important to point out that no inter-
national organization, agency, or entity has the legal authority to attribute responsibility for a
cyberattack. Due to this institutional legal vacuum, seldom do governments make official at-
tribution claims, and, in the rare occasion that they do, their statements are normally perceived
40 Supra note 25, at 384. 41 Schmitt and Vihul 2016, 39. As codified in Article 2(d) of the Vienna Convention on the Law of Treaties (VCLT), reservation is “a unilateral statement, however phrased or named, made by a State, when signing, ratifying, accepting, approving or acceding to a treaty, whereby it purports to exclude or to modify the legal effect of certain provisions of the treaty in their application to that State” (United Nations, Vienna Convention on the law of treaties, 23 May 1969, vol. 1155,1-18232, art. 2(d)). It is perhaps useful to point out that some scholars have indicated that a successful agreement might be almost impossible to achieve, at least in the near future. For instance, Waxman believes that “not only do certain fea-tures of cyber-activities make international legal regulation very difficult, but major actors also have divergent strategic interests that will pull their preferred doctrinal interpretations and aspirations in different directions, impeding formations of a stable international consensus” (Waxman 2011, 425-26). On this point, Goldsmith ar-gues that “the fundamental clash of interests concerning the regulation of electronic communications, the deep constrains the United States would have to adopt to receive reciprocal benefits in a cybersecurity treaty, and the debilitating verification problems will combine to make it unfeasible to create a cybersecurity treaty that purports to constrain governments”. (Goldsmith 2011, 12). 42 Mačák 2017, 5. 43 Mačák 2016, 130. About the high classified nature of state practice in cyberspace, Clarke and Knake state that “the entire phenomenon of cyber war is shrouded in such government secrecy that it makes the Cold War look like a time of openness and transparency” (Clarke and Knake 2010, xi). Also, Efrony and Shany try to explain the absence of transparency in cyberspace; for them, states believe that transparency may reveal “their vulnerabil-ities, adversely affect their offensive or defensive capabilities, and weaken their power of deterrence” (Efrony and Shany 2018, 631). 44 Supra note 38, at 194. 45 Among the notable exceptions, the USA stands out with its International Strategy for Cyberspace (United States, The White House, International Strategy for Cyberspace: Property, Security, and Openness in a Networked World, May 2011). 46 Schmitt and Watts 2015, 211. 47 Singer and Friedman 2014, 4-8. 48 Supra note 43, at 130.
11
to be entirely political and shrouded in secrecy, which can raise questions about the veracity of
the facts49. The attribution problem50, therefore, is critical because attribution is a, if not the,
key prerequisite to any lawful response under public international law, including self-defence51.
This creates a dangerous practical gap that both precludes state responsibility52 and encourages
attackers by allowing them to strike with impunity53. Indeed, without an operative legal regime,
the cyber domain “is not so far from the lawless lacuna some hoped it would become”54.
Against this backdrop, scholars, cyber-experts, and international stakeholders have
been attempting to bridge the gap with their views on how international law applies to cyber-
space. These non-state-driven initiatives are trying to promote a safe international system and
reduce the chances of conflict arising from cyberattacks by filling the void created by states’
reluctance to undertake the international law-making process55. The most important and com-
prehensive of these attempts certainly is the Tallinn Manual project, which is under the auspices
of the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE). This project,
however, is neither an international treaty on cyber law nor does it offer a new set of interna-
tional rules nor represent the position of any country or organization56. Rather, it is a restate-
ment of international law as it is (lex lata)57, establishing a comprehensive legal structure for
the governance of cyber operations during both times of peace and conflict. Considering the
Tallinn project’s non-state and non-binding nature, one is then left to question its actual rele-
vance to public international law, which still is very much attached to state-centric assumptions
and foundations of the early formative stage of the international legal regime.
On this basis, my main argument lies heavily on the idea that the current international
legal framework is underdeveloped vis-à-vis cyber-attribution, as its norms and principles were
designed to the physical world and still, at present, mainly govern the relationship between
states. Cyberspace, on the other end of the spectrum, is predominantly inhabited by non-state
49 Supra note 2, at 19. It is interesting to highlight that attributing cyberattacks to states is a new phenomenon (Eichensehr 2019b ,7-8). For instance, the first official public accusation by the USA only came in 2014, when five Chinese military hackers were criminally charged for cyberespionage against U.S. corporations (The United States, Department of Justice, May 19 2014). 50 By attribution problem, I refer to the difficulty in discovering the identity or location of the responsible for a cyberattack or their intermediary. 51 Supra note 25, at 384; Supra note 31, at 205. 52 Supra note 32, at 1495. 53 Supra note 31, at 205. 54 Chircop 2018, 653. 55 Supra note 42, at 1. 56 Despite NATO’s sponsorship, the Tallinn Manuals do not reflect the official position of the Alliance. 57 Supra note 32, at 1494.
12
actors58 and, as Libicki aptly put it, is divided between the physical, syntactic, semantic, and
pragmatic layers59. As it stands now, international law fails in coping with contemporary chal-
lenges posed by cyberspace and the rapid development of ICTs, notably the attribution of
cyberattacks. As will be developed bellow, this practical gap not only hinders the cyber-attrib-
ution process, but also threatens international security on an equivalent scale to traditional
armed attacks60.
Although literature on cybersecurity normally perceives the attribution problem as a
technical issue, due to the significant technological advancements experienced in the last dec-
ade, attribution is already “more nuanced, more common, and more political”61 than it is
acknowledged. It is therefore understood that the solution to this dangerous situation lies within
the legal and political domains, not in the technical realm62. Non-state initiatives have been
trying to overcome this legal quagmire, but the international legal system still is inherently
attached to a state-centric approach. Therefore, no set of international binding rules as far as
cybersecurity is concerned will ever likely be achieved without the participation of states.
Considering that so many aspects of our lives are now bound up with cyberspace, the
discussion about cyber-attribution is not only pertinent but also urgent. Such a delicate situation
deserves to be taken most seriously and it would be unduly ambitious to try to provide a full
answer in this study. My purpose, however, is to make a modest attempt at shedding some light
on the issue. Ideally, this may contribute to a constructive debate about the problem of attrib-
uting blame for cyberattacks.
The following research question was articulated in order to function as the backbone of
the work here presented: to what extent is international law underdeveloped vis-à-vis cyber-
attribution? Also, as a means to enlighten the path of this study, the following sub-questions
were established: why does cyber-attribution matter? What are the legal and political chal-
lenges imposed by the attribution problem? How the difficulty in attributing blame of a cyberat-
tack affects international security?
In order to carry out the aforementioned study, a qualitative research of a doctrinal
nature will be applied. Mainly, this will be a legal work based on primary and secondary legal
sources. Parallel to the legal background, this study will also endeavour to apply the Interna-
tional Relations’ concept of security dilemma to cyberspace. By bringing this concept to the
58 Supra note 42, at 14. 59 Libicki 2007, 236-37. 60 Supra note 54, at 652. 61 Supra note 33, at 6. 62 Eichensehr 2019b, 2.
13
study, I hope to achieve a better understanding of how the unconventional characteristics of
the cyber domain can lead to misperceptions, fear, and conflict spirals. To that end, Chapter 2
provides a brief overview of the security dilemma concept, presenting its main characteristics.
Chapter 3 reviews the problem of attribution, discussing its most oft-cited causes and explain-
ing why this issue deserves attention from the international community. Also, it assesses how
the difficulty in attributing blame for a cyberattack affects international security as a whole.
Subsequently, Chapter 4 approaches the research question through the analysis of current in-
ternational law, discussing grey areas, as well as international rules that are applicable to cy-
berspace. Moreover, it reviews leading non-state initiatives that have been contributing to the
development of the international legal framework in the challenging domain of cyberspace,
especially Microsoft’s proposals and the Tallinn Manual project. In addition, Chapter 4 exam-
ines the value of soft law norms for the international legal framework, and briefly discuss the
Antarctic and nuclear safety regimes as examples of the codification of nom-binding norms.
Finally, Chapter 5 concludes by reflecting on the main ideas discussed throughout this study
and opening the path for additional insights and hopefully avenues for further research.
14
Chapter 2 – Realism and the Security Dilemma
In international relations theory, Realism, also known as political realism, is one of the
dominants schools of thought63. Realists depict an anarchical, competitive and conflictual
world, in which insecurity among states is inescapable64. Note that ‘anarchical’ is used here in
a technical sense, indicating the dearth of an overarching, political authority at the international
level. Under anarchy, states are the main actors in the international arena and their primary
responsibility is to secure their own interests, especially their survival65. In order to do so,
according to the realist theory, states will attempt to acquire power and engage in power-bal-
ancing66, creating what Hoffman called “a state of war”67.
The interstate political order is, therefore, a self-help system plagued by “uncertainty,
weapons and fear”68, and in which power plays the leading role in shaping the relation between
states69. As long as we accept the basic premises of the realist theory, this hostile and insecure
environment not only leaves little room for international cooperation70, but also encourages
“behaviour that leaves all concerned worse off than they could be, even in the extreme case in
63 This study will not differentiate Realism into its various strands since this warrant a more extended discussion that I can here give it. It is perhaps useful to point out, however, that realism is normally contrasted with liber-alism or idealism, which tend to focus on international cooperation. Compared to these theories, the realist perspective is undeniably pessimistic. As Keohane put it, realism is “the language of power and interests rather than of ideals or norms” (Keohane 1986, 9). 64 Wheeler and Booth 2007, 2. 65 Waltz 1979, 91. Waltz points out that, “internationally, the environment of states’ actions, or the structure of their system, is set by the fact that some states prefer survival over other ends obtainable in the short run and act with relative efficiency to achieve that end” (Waltz, 1979, 93). On this topic, Jervis identifies throughout his book, entitled Perception and Misperception in International Politics, some states that did not have survival as their primary goal. For instance, During Hitler’s government, Germany valued territorial expansion over security (Jervis 2017). 66 According to Andersen, balance of power is “a mechanism that ideally would make states intentionally or unintentionally join the weaker part against the strong, to equal out or balance the distribution of power amongst states in the international system” and states “would do this to assure their own survival” (Andersen 2018, 1). 67 Hoffmann defines ‘state of war’ as “a competition of units in the kind of state of nature that knows no restrains other than those which the changing necessities of the game and the shallow convenience of the players im-pose” (Hoffmann 1965, vii). 68 Supra note 65. 69 Korab-Karpowicz 2017. It is important to note that Wendt argues, through the lenses of Constructivism, that “self-help and power politics are institutions, and not essential features of anarchy. Anarchy is what states make of it” (Wendt 1992, 395). 70 Waltz points out two reasons why international cooperation is limited by anarchy: insecurity and unequal gains. In an anarchic international system, states are not certain about each other’s intentions and they fear that cooperation might favour one state in detriment of the others, creating some kind of dependence. He argues that “[s]tates do not willingly place themselves in situations of increased dependence. In a self-help system, considerations of security subordinate economic gain to political interest” (Supra note 66, at 107).
15
which all states would like to freeze the status quo”71. To put it differently, the uncertainties
inherent in an anarchic world cause states to feel insecure, leading to counterproductive policies
and suboptimal results, such as security dilemmas, crises, or even wars72. As Schweller ex-
plained, “insecurity and the use of force are enduring attributes of the self-help international
system”73.
2.1 What is the security dilemma?
According to Wheeler and Booth, the security dilemma is the quintessential dilemma
in interstate politics74. Coined by Herz (1950) and Butterfield (1951), the term has since be-
come an integral part of any discourse on international security and has been expanded and
employed to “address many of the most important questions of international relations theory
and security policy”75. Both authors describe the security dilemma as a situation where the
increase of a state’s security simultaneously (and unintentionally) decreases the security of
other states76. The risk here is that misperceptions and conflict spirals dramatically increase the
chances of unnecessary or avoidable armed conflicts.
For instance, a state might attempt to increase its own security and avert aggression by
acquiring more weapons, bringing them to a higher state of readiness, or creating alliances.
Under anarchy, an adversarial state will get the wrong impression about this behaviour, inter-
preting it as a preparatory action for future attacks. This state will thus fell threatened and will
take action to enhance its own security. The first state will have confirmed its suspicions about
its adversary’s belligerence, increasing tension and leading to an arms race or even war. In this
scenario, conflict is not the product of the actual intentions and military capabilities of a spe-
cific actor. Rather, it is the result of mutual misperceptions and miscommunications that arise
from the inability of states to understand each other’s intentions and motives with complete
71 Jervis 1978, 167. 72 Carlsnaes et al. 2002, 372; Montgomery 2006, 183. 73 Schweller 1996, 116. Note that, according to Mearsheimer, “the best way for a state to survive in anarchy is to take advantage of other states and gain power at their expenses” (Mearsheimer 2001, 36). 74 Supra note 65, at 29. 75 Glaser 1997, 172. 76 Jervis describes the security dilemma as a situation where “many of the means by which a state tries to in-crease its security decreases the security of others” (Supra note 71, at 169-70). Likewise, Glaser explains that the security dilemma exists when a “state’s effort to increase its security would have the unintended effect of reducing its adversary’s security” (Glaser 2010, 56). Montgomery, on the other hand, sees the security dilemma as primarily an issue of perception; he describes it as “the situation where one state’s attempt to increase its security appear threatening to others and provoke an unnecessary conflict” (Montgomery 2006, 151).
16
confidence77. In this sense, as Herz points out, “it is one of the tragic implications of the security
dilemma that mutual fear of what initially may never have existed may subsequently bring
about what is feared the most”78. Note that this is a “fertile version” of the philosophical prob-
lem of Other Minds, that is, “how one mind can ever know what is in the mind of another”79.
The difficulty in correctly perceiving other’s intentions is related to the fact that many
of the methods by which a state attempts to enhance its security will certainly make other states
feel less secure. Jervis notes that, at the domestic level, individuals can attempt to increase their
safety in several ways without jeopardizing others; one can, for instance, put bars on the win-
dows, move to a safer area, and avoid dark streets80. At the international level, however, “one
state’s gain in security often inadvertently threatens others”81. The Cold War is a prime exam-
ple of this. Both the United States’ and the Soviet Union’s efforts to increase their security had
the unintended consequence of decreasing the security of the other superpower82, leading to a
spiral in which they accumulate more military capabilities without making themselves more
secure83.
On top of this, there is what Wheeler and Booth described as the “inherent ambiguity
of weapons”84. Since most weapons can be used for both defensive and offensive purposes, it
is incredibly difficult for decision-makers to foresee with certainty when and how arms may
be used by other states. On this topic, Jervis asserts that “[u]nless the requirement for offense
and defence differ in kind or amount, a status quo power will desire a military posture that
resembles that of an aggressor. For this reason, others cannot infer from its military forces and
preparations whether the state is aggressive”85. Armament, therefore, is the material reality that
initiates the security dilemma86.
77 Gunitskiy 2011, 595; Supra note 65, at 4. Mearsheimer argues that governments can never be sure of the intentions of other states and that “intentions are impossible to divine with 100 percent certainty”. He also highlights that “intentions can change quickly, so a state’s intentions can be benign one day and hostile the next. Uncertainty about intentions is unavoidable, which means that states can never be sure that other states do not have offensive intentions to go along with their offensive capabilities” (Supra note 74, 2001, at 31). 78 Herz 1959, 241. 79 Hollis and Smith 1990, 171-172. 80 Supra note 71, at 169-70. 81 Ibid. 82 Jervis 2017, xiii-xiv. 83 Tang 2009, 594. On this topic, Libicki explains that “[d]uring the Cold War, when deterrence was the only feasible response to threat posed by the other side’s nuclear weapons, any attempt to build more weapons of bring them to a higher state of readiness […] would alarm the other side who would feel impelled to do likewise” (Libicki 2016, 129). 84 Supra note 65, at 4. 85 Supra note 83, at 64. Therefore, even benign, security-seeking actors can be dragged into an arms race. 86 Supra note 65, at 1.
17
Before proceeding, a few points still need to be considered and further clarified vis-à-
vis the security dilemma concept. First, arms race is the most distinct expression of the vicious
circle of the dilemma, but it is not the only one. For instance, the competition among imperialist
powers for colonies in the late nineteenth and at the beginning of the twentieth centuries is
considered to have been fuelled by a security dilemma87. Second, the security dilemma will
never be real, it will always be apparent88. The dilemma can only exist if both states have
benign motives; if, however, one state (or even both of them) has malign intentions, thus the
situation cannot be described as a security dilemma, but as a security problem89. As Schweller
aptly put it, “[i]f states are arming for something other than security; that is, if aggressors do in
fact exist, then it is no longer a security dilemma”90. Finally, according to Wheeler and Booth,
the security dilemma can be mitigated via the development of international institutions and
legal regimes91. Insecurity, however, cannot be completely eliminated.
Certainly, Herz’s and Butterfield’s original formulations of the security dilemma were
an interesting development from the realist school of thought92. In its classical form, however,
the concept may be of limited use in analysing the modern international system, which has a
well-establish legal framework regulating the use of force, and in which most states are no
longer threatened whether by war or external aggression93. But this does not mean that the
security dilemma is irrelevant or even obsolete for international security studies. On the con-
trary, it remains an extremely important tool for both policymakers and scholars since it can
and has been reconceptualized to address modern challenges, including cyber-security ones.
87 Supra note 83, at 66. 88 Supra note 74, at 117. 89 Supra note 75, at 31. “If the threat posed by one state to another […] is accurately perceived […] then the situation cannot be classified as a security ‘dilemma’. It is simply a security ‘problem’, albeit perhaps a difficult one”. 90 Supra note 74, at 117. This argument generates an obvious puzzle, however: how can one know if threats are real or just apparent? 91 Supra note 65. 92 Note that realism is hardly the only school of thought to use the concept. The security dilemma has been broadly employed by liberals (see Doyle 1983; Oneal and Russett 1999; Cederman 2001), neoliberals (see Axel-rod and Keohane 1985), constructivists (see Wendt 1995), to name a few. 93 Bluth 2011, 1375.
18
Chapter 3 – The Attribution Problem
One threshold issue in discussing cyber-attribution involves the definition of attribution
itself, a question that certainly pervades all literature about this topic. At the most general level,
‘attribution’ refers to the identification of the responsible entity for a malicious cyberattack94.
What is understood by ‘responsible entity’, however, can vary. There are usually three types
of answers: the specific computing device used to carry out an attack, the individual pressing
the keys that launch an attack, and ultimately the party that supervised and controlled the at-
tack95. According to Lin, even though “these three types of attribution are conceptually distinct,
they are often related in practice”96. Particularly, identifying the machine from which an attack
was launched might provide some clues that can assist unveil the human attacker’s identity,
which in turn can help determine the individual or entity responsible for authorizing or acqui-
escing the cyber operation. Still, each of these types offer different challenges, increasing the
difficulty of the attribution process.
Although attributing cyberattacks is not a new challenge97, the attribution debate is de-
veloping “surprisingly slowly”98. Scholars and experts have been dwelling upon the subject
and hold a full spectrum of views on it. At the positive end of the spectrum are those, like Rid
and Buchanan, who argue that cyber-attribution is not only possible, but “it has been happening
successfully for a long time”99. Lindsay strikes a more restrained yet positive note, by charac-
terizing attribution as difficult, but acknowledging that there are strong systems for identifying
the source of intrusions and responding to attacks, with an increasingly amount of investments
being devoted to investigations100. At the other end of the spectrum, Singer and Friedman char-
acterize attribution as “[p]erhaps the most difficult problem” in cyberspace101, and Eun and
Aßmann argue that “determining the real aggressor is impossible unless the aggressor admits
to it”102. Shackelford further echoes this idea by affirming that sophisticated cyberattacks are
“nearly impossible to trace to their sources”103.
94 Ibid., 5. 95 Lin 2016, 5. 96 Ibid., 13. 97 Supra note 12, at 955. 98 Supra note 33, at 5. 99 Ibid., 31. 100 Supra note 36. 101 Supra note 48, at 73. 102 Eun and Aßmann 2016, 355. 103 Shackelford 2010, 200. Brecher share the same idea that cyberattacks “can be nearly impossible to attribute definitively to their sources” (Brecher 2012, 423).
19
3.1 Why is attribution so difficult?
There are a number of answers to this question. First, many academics and experts sug-
gest that the difficulty in attributing blame for cyberattacks is mainly due to the intrinsic char-
acteristics of the cyber domain104. The structural anonymity, which has been one of the hall-
marks and biggest strengths of the Internet, provides the perfect venue for state and non-state
actors to undertake malicious operations without fearing attribution or retaliation. The Internet,
as Lindsay points out, “was designed to make connections easy and reliable even when the true
identity of the connector and the path of the connection were unknown; security did not figure
strongly in its early design”105. Lupovici, however, seems to disagree on the premise that cy-
berspace is an inherently anonymous domain. Even though he recognizes that some aspects of
the Internet make harder to attribute an attack, he argues that anonymity is a socially attributed
trait and, therefore, cyberspace could be structured in a way that does not uphold this charac-
teristic106. Along this line of thinking, McConnell suggests that the only solution for the attrib-
ution problem is redesigning the Internet so that attribution and geolocation are more feasi-
ble107. Such a change, however, would be a massive undertaking and probably would not help
to prevent the increasingly sophisticated cyberattacks that are being launched today108. At the
same time, reengineering the entire computer network would reduce its efficiency and depend-
ability, and would bring into question characteristics of the current Internet, such as freedom
of action and privacy, that are treasured by many, including intelligence agencies109.
Second, cyber-attribution is further complicated by the fact that hackers have at their
disposal a variety of programs, techniques and applications to conceal the identity of their own
Internet Protocol (IP) addresses and thus to thwart detection. One common practice that attack-
ers employ to hide their online trail is to break into poorly secured internet servers or even
personal computers and use them as proxies through which they can launch a cyberattack110.
104 Lupovic 2016, 322; Supra note 25, at 387. 105 Lindsay 2013, 375-76. 106 Supra note 74, at 330. Lupovici further argues that the current assumption that anonymity is inherent to the cyber domain might affect states’ policies. “Defenders, discouraged from relying on cyber deterrence, may re-fuse to invest in efforts to establish it. This will decrease the efficiency of cyber deterrence and, as a result, re-inforce the existing common knowledge that this strategy is doomed to fail”. (Supra note 104, at 331). 107 McConnell 2010. 108 Supra note 10, at 3. For instance, Rid argues that McConnell suggestion “is not only unrealistic, it would not even solve the problem at hand” (Rid 2013, 140-41). For Tran, “even if the Internet could arduously be rede-signed to authenticate the source IP address of every bit of data sent over the Internet, these addresses would accomplish the goal of merely identifying the source machine of an attack, and not a person, thereby creating another degree of attenuation between an attack and the attacker” (Tran 2018, 390). 109 Ibid. 110 Greenemeier 2011.
20
“The IP address therefore does not present the attacked state with a physical location to blame
or even attack in response. The discovered server could be located in a neutral, friendly or even
your own country”111. According to Lipson, “an IP address is a poor surrogate on which to
establish a basis for trustworthiness”112. The cyberattacks that hit Estonia, for instance, origi-
nated from at least 177 countries, such as the United States, Russia, Peru, Egypt, and Estonian
itself113. As Brenner effectively observed, “the Internet is one big masquerade ball. You can
hide behind aliases, you can hide behind proxy servers, and you can surreptitiously enslave
other computers without their owners’ knowledge – and then use their computers to do your
dirty work”114. Another prime example of a technology available to obfuscate one’s traces in
cyberspace is the Central Intelligence Agency’s (CIA) Marble Framework, which is capable of
altering the language of the code from English to another foreign language, such as Chinese,
Russian, Korean, Arabic and Farsi115.
In this regard, Dinstein argues that future technological improvements will probably
overcome the challenges that prevent cyber-attribution116. Indeed, governments are more ca-
pable of attributing responsibility for cyberattacks than they were a decade ago, and these tech-
nological advancements and innovations have boosted states’ confidence117. For example, in
2014, Canada indicated to possess robust systems in place that allow the detection of highly
sophisticated attacks, even those launched by state-sponsored actors118 and, in 2015, the United
Kingdom’s Chancellor affirmed that “we are increasingly confident in our ability to determine
from where attacks come”119. It is important to bear in mind, however, that the technical realm
is so “dynamic” that new technologies both enhance and hinder states’ ability to attribute ma-
licious attacks120, generating “a cycle of escalating offensive and defensive capabilities”121.
Third, even if it is possible to overcome all the technological issues mentioned above
and identify the machine used to carry out a cyberoperation with sufficient certainty, cyber-
111 Supra note 102. 112 Lipson 2002, 56. 113 Roscini 2010, 97; Supra note 28. 114 Brenner 2011, 13. 115 Mueller et al. 2019, 110; Leyden 2017. 116 Dinstein 2002, 112. Similarly, Roscini argues that “further developments in computer technology and Internet regulations might also make it easier to identify the source of the cyberattack” (Roscini 2010, 97) 117 Supra note 42, at 23 118 Canada, Statement by the Chief Information Officer for the Government of Canada (July 29, 2014). 119 United Kingdom, Chancellor’s speech to GCHQ on cybersecurity (November 17, 2015). 120 Supra note 33, 1510. 121 The improvements in technical attribution might be matched over time by developments in attackers’ abili-ties to conceal their identities, and this “cat-and-mouse game” will continue to cyber-attribution difficult. Supra note 93, at 9.
21
attribution remains challenging due to what has been called the “human machine gap”122 or
“entry-point anonymity”123. That is to say, attribution can only be accomplished if the individ-
ual or organization who was operating the computing device can also be identified. With this
in mind, it should be noted that rarely does the location of a computer provide precise conclu-
sions vis-à-vis the machine operator’s identity124. Therefore, knowing that a cyberattack was
executed on the territory of a state, or from the governmental cyber framework of a state, is not
enough to attribute said attack to that state125.
Fourth, it may be quite difficult to determine the ultimately responsible entity as far as
state responsibility is concerned. Even if it is possible to overcome all the technological chal-
lenges and identify the human attacker, there remains the question of whether or not there is a
relationship between the individual pressing the keys and the state actor. Is the attacker an
officially sanctioned government agent? Or is it a third party operating on their own? Deibert,
Rohozinski, and Crete-Nishihata acknowledge that there is an increasing tendency towards pri-
vateering cyberattacks, and states are particularly interested in this market since it “allows them
to execute their missions once removed and clandestinely, thus offering plausible deniability
and avoiding responsibilities under international law or the laws of armed conflict”126.
Moving to the legal aspect of attribution, a state will only be held responsible for an
internationally wrongful action that is attributable to the state under public international law or
that constitutes a breach of an international obligation of the state127. On this point, it is im-
portant to note that, traditionally, there has been an extremely high bar for establishing state
responsibility for acts of non-state actors128. Drawing from the International Law Commis-
sion’s (ILC) Articles on Responsibility of States for Internationally Wrongful Acts, a state can
be held liable for the conduct of a non-state actor if the latter is “acting on the instruction of,
or under the direction or control of” the state129. Note that, sadly, the concepts of ‘instructions’,
122 Geiß and Lahmann 2009, 625 123 Supra note 111. 124 Supra note 120. 125 Supra note 55, at 646. 126 Deibert, Rohozinski, and Crete-Nishihata 2012, 17. 127 International Law Commission, Draft Articles of Responsibility of States for Internationally Wrongful Acts, November 2001, Supplement No. 10 (A/56/10), art. 2. It is important to note that the ILC’s rules are not a treaty and therefore they are not binding on any state. Yet, these rules were commended by the UN General Assembly in 2012 (UN Doc. A/RES/56/83) and have been mentioned 154 times by international courts, tribunals, and other bodies. (United Nations Legislative Series, Materials on the Responsibility of States for Internationally Wrongful Acts, 2012, ST/LEG/SER.B/25, viii). 128 Supra note 31, at 204. 129 Ibid., art. 8.
22
‘direct’, and ‘control’ all need further explanation130. According to the commentary to the Ar-
ticles on State Responsibility, ‘instruction’ comprises private individuals or groups acting as
an auxiliary of the state131. More problematic issues, however, arise in determining the concepts
of ‘direction’ and ‘control’, for the commentary falls short and does not explain the difference
between both of them. Rather, it only says that the terms are “disjunctive”132. International
tribunals have also failed to make a distinction between the three concepts with any level of
detail. Therefore, as Schmitt put it, “the prevailing approach tends towards a binary distinction
in which either a state tells a non-state actor to perform an act (instruction or direction) or the
state exercises ‘effective control’ over the non-state actor with respect to the act in question”
133.
The effective control test was coined by the International Court of Justice (ICJ) in its
Nicaragua v. United States of America judgement134. Even though the Court does not provide
a definition for the expression, it has asserted that a state’s participation in the form of “financ-
ing, organizing, training, supplying, and equipping” the non-state actor does not rise to the
degree of effective control135. In this sense, for example, supplying malware to a terrorist group
would not result in state responsibility. In fact, even if the state plans the whole operation and
selects the military targets, it still would not be enough to result in attribution136. Furthermore,
taking into considerations the technical challenges aforementioned, determining that a hacker
was under the effective control of a nation-state at relevant time is probably impossible137. For
instance, the 2007 cyberattacks targeting Estonia were partially attributed to the pro-Kremlin
youth group Nashi, but it is not clear whether Russia was involved in the incident138.
In Prosecutor v. Tadic, the International Criminal Tribunal for the Former Yugoslavia
(ICTY) lowered the threshold by adopting the much less restrictive overall control test, which
130 Schmitt 2017b, 9. 131 International Law Commission, Draft Article of Responsibility of States for Internationally Wrongful Acts with Commentaries, November 2001, Supplement No. 10 (A/56/10), art. 8, para. 2. 132 Ibid., para. 7. 133 Supra note 99. 134 International Court of Justice, Case Concerning Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. United States of America), Merits, 27 June 1986, para. 115. 135 Ibid. 136 Ibid. 137 Supra note 29, at 563. 138 Supra note 9, at 23-24. On this topic, Schmitt and Vihul note that care should be taken when assuming state sponsorship of non-state cyberoperations because non-state actors can launch cyberattacks at a “fairly low cost and without access to the technical wherewithal of states” (Schmitt and Vihul 2014, 56).
23
applies to an “organized and hierarchically structured group” 139. In light of the latter, the over-
all control test seems inappropriate for cyberspace, where the activity is more decentralized
and rarely follows a hierarchical form. According to the ICJ in Bosnia and Herzegovina v.
Servia and Montenegro, the “overall control test is unsuitable, for it stretches too far, almost to
breaking point, the connection which must exist between the conduct of a State’s organs and
its international responsibility”140. One then is left to question the legal validity of this test.
Regardless of whether effective control or overall control ultimately suits the cyber
domain, the attribution bar continues to be extremely high. As a result, states are prevented
from adopting any lawful response to a cyberattack, including their inherent right to self-de-
fence, encouraging retaliatory operations outside the existing legal structure141. Against this
background, some scholars have suggested that one possible solution to these legal challenges
is to lower the attribution standard. Schmitt, for instance, defended an indirect responsibility
approach by which a state might be held responsible for the consequences of non-state actors’
unlawful operations on its territory “when it fails to take reasonably available measures to stop
such acts in breach of its obligations to other states”142. Lowering the attribution bar, however,
increases the chances of misattribution and conflict escalation.
Fifth, another factor that contributes to the difficulty of attributing cyberattacks is the
presence of dynamic and sophisticated non-state actors. Traditionally, states and non-state ac-
tors were distinguished by significant imbalances not only in legal status, but also in resources
and capabilities. The cyber domain, however, seems to offer great opportunities for non-state
actors to challenge and, in some situations, to overcome states’ hegemony143. Indeed, today
these entities need as much or more attention than other international player due to their ability
to profoundly disturb international peace and security. Nevertheless, these actors “enjoy a rel-
ative degree of impunity” for the harmful effects of their actions144 since international law does
not offer a tailored framework based on which non-state actors can be held responsible for
unlawful acts145. In this sense, an adequate legal response to the attribution problem should
139 United Nations, International Tribunal for the Prosecution of Persons Responsible for Serious Violations of International Humanitarian Law Committed in the Territory of the Former Yugoslavia since 1991, Prosecuter v. Dusko Tadic, Case no. IT-94-1-A, Appeals Chamber, Judgment, 15 July 1999, para. 120. 140 International Court of Justice, Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro), 26 February 2007, para. 406. 141 Supra note 31, at 205. 142 Schmitt 2011, 580. 143 Supra note 7, at 595. 144 Supra note 55, at 647. 145 d’Aspremont et al. 2015, 53-54.
24
address the inexistence of attribution mechanisms for malicious cyberoperations launched by
non-state actors.
Finally, attributing blame for malicious cyberoperations is vastly time-consuming and
expensive146, limiting the number of actors that can bear the cost of it and, thus, hampering
attribution. The investigation of cyberattacks is a complex process that requires detailed anal-
ysis of technical data, as well as a deep comprehension of political and economic motiva-
tions147. Consequently, as Sheldon points out, “the forensics of attribution can rarely, if ever,
give immediate results and can take days if not weeks to provide solid technical evidence”148.
Further, former U.S. Deputy Secretary of Defence William Lynn III recognized the struggle to
attribute cyberattacks, observing that “[t]he forensic work necessary to identify an attacker may
take months, if identification is possible at all”149. Cyber-attribution, however, is nearly useless
if it takes too long and is not able to identify all the actors involved in the attack150.
These are the numerous hurdles, both technological and legal, that have been oft-men-
tioned as a hindrance to the development of an effective legal framework for governing
cyberattacks151. In spite of the fact that previous literature on cybersecurity perceived the at-
tribution problem as an insurmountable technical issue, recent scholars and experts have begun
to acknowledge that actual attribution might not be rocket science after all152. As Carlin aptly
put it, “although attribution is difficult, it is far from impossible”153.
3.2 Why does cyber-attribution matter?
Considering the number of obstacles that significantly limit cyber-attribution, one is
then left to question whether or not the matter is worth international society’s attention. What
are the purposes of attributing blame for a cyberattacks? Why should states and international
stakeholders endeavour to solve the attribution problem?
146 Supra note 13, at 956. 147 Supra note 3, at 2. 148 Sheldon 2014, 289-90 149 Lynn III 2010, 99. 150 Carlin 2016, 409. The duration of the investigation is relevant for cyber-attribution because if a targeted state takes too long to respond, any countermeasures adopted may be seen as punishment, forbidden under public international law. On the other hand, if a targeted state engages in countermeasures too early and has wrong-fully attributed the cyberattack, it will have committed an internationally wrongful act itself. 151 According to Shackelford, “the international law doctrine of attribution is in fact an essential ground for reg-ulating cyberattacks” (Shackelford 2008, 233). 152 “Actual attribution of cyber events is already more nuanced, more common, and more political than the literature has acknowledged so far” (Supra note 62). 153 Supra note 119.
25
To start with, cyber-attribution function goes well beyond the mere identification of the
responsible entity for a malicious cyberattack; it also serves as a legitimizing tool to justify
both formal and informal sanctioning behaviour to other international actors154. According to
Article 22 of the ILC’s Draft Articles on State Responsibility, a state that has been the target of
an internationally wrongful act may adopt countermeasures155 – actions that would otherwise
be unlawful156. In order to do so, the victim state must identify the state actor which is respon-
sible for the internationally wrongful act157. Eichensehr argues that “[s]uch an attribution could
be done privately, but if so, the victim state would risk other states viewing its countermeasures
as an initial wrongful act, rather than a lawful response”158. Tran adds to the discussion by
explaining that even in situations where formal law is not the answer, states would still be
required to attribute responsibility in order to implement any informal method of sanctioning
the attacker159. Thus, attribution is a crucial and necessary prerequisite to any further legal
action, be it countermeasures, diplomatic responses or any other informal kind of response.
Consequently, it is not unreasonable to assume that solving the attribution problem is the piv-
otal first step to establish any functioning system of law that regulates cyberattacks.
Additionally, publicly attributing the blame for a cyberattack, and consequently sharing
specific aspects of it, may help network defenders identify possible vulnerabilities in the system
and, thus, prevent future attacks160. It is often cited that, in some cases, attribution may also
lead to macro-level deterrence. By identifying the culprits of a cyberattack, states are able to
publicly name and shame them. Potentially, this practice will cause the named actor, and even
third parties, to refrain from future operations161. For instance, in 2014, the USA criminally
charged five Chinese military hackers for cyberespionage against U.S. corporations and “[f]or
a period of time following the indictments, there was a very significant decrease” in Chinese
154 Supra note 25, 386. 155 “The wrongfulness of an act of a State not in conformity with an international obligation towards another State is precluded if and to the extent that the act constitutes a countermeasure taken against the latter State” (Supra note 96, art. 22). 156 According to the Tallinn Manual 2.0, “countermeasures are actions or omissions by an injured State directed against a responsible State that would violate an obligation owed by the former to the latter” (Supra note 15, 111, rule 20 (1)). Note that countermeasures cannot be taken by non-state actors since they are reserved to states. Similarly, such measures cannot be taken against non-state actors, except when their (cyber) actions are attributable to a state actor. “This is because only states commit, as a matter of law, internationally wrongful acts” (Supra note 7, at 606). Also, Banks argues that countermeasures were created to compel a state to desist in its unlawful actions, not as punishment (Supra note 33, at 1502). 157 Supra note 96, art. 49. 158 Supra note 63, at 29. 159 Supra note 25, at 383-84. 160 Supra note 3, at 3. 161 Supra note 63, at 25
26
cyberactivity162. Furthermore, publicly attributing responsibility for cyberattacks might create
micro-level deterrence, which is related with the adoption of domestic legal procedures and
economic sanctions163. According to Goldsmith and Williams, the costs of these measures “are
not nothing; would-be state-sponsored cyber-intruders and their principals surely take them
into account”164. Micro-level deterrence, therefore, could be more successful than its macro-
level counterpart165. According to Finnemore and Hollis, publicly attributing cyberattacks pro-
mote “interactions between the accuser, the accused, and third-party audiences that – over time
– may result in the creation of a new norm”166. Note, however, that public attribution alone
may not be sufficient to deter malicious cyberactivity or produce cyber accountability, partic-
ularly if the responsible actor does not care if his/her identity and behaviour are made public.
From an international relations perspective, states and international stakeholders should
care about the attribution problem due to its capacity to deteriorate the international political
environment. As noted earlier, attributing blame for a cyberattack is no easy task and thus the
chances of a malicious cyber operation being framed wrongfully is extremely high. Indeed,
misattribution is substantially more likely vis-à-vis cyberattacks than traditional kinetic war-
fare167. With this in mind, one should be cognizant that there is a tendency to explain malicious
cyber incidents in terms of geopolitical conditions and existing rivalries168, particularly soon
after a cyberattack when there is a haste to identify the culprits, to strengthen defences and to
retaliate. The 2007 Estonian cyberattack provides one of the clearest examples of this tendency.
Due to past Russian actions and the political atmosphere at the time, the attack was attributed
to Russia and this explanation was later questioned by cyber experts. A yet more recently ex-
ample is the 2015 Ukraine power grid cyberattack. Ukraine’s intelligence community was
quick to blame Russia for the attack because it was perceived as an escalation of the conflict
162 Nakashima 2015. 163 To build upon the previous example, in addition to the criminal charges, the Chinese hackers cannot travel to the United States or other country with which it has extradition treaty; if they do, they could be extradited to the USA and face trial. Nor can they engage in financial transactions that touches the U.S. or other sanctioning state financial system. 164 Goldsmith and Williams 2018. 165 Nevertheless, Eichensehr explains that the effectiveness of micro-level deterrence might vary according to the nationality of the hackers (“losing the ability to travel or to store money in Western Europe may be less of a blow to North Korean hackers than to Russians”), and depends on the level of coercion to which the cyber-attackers are subject (“[i]f their actions on behalf of their government are not voluntary, then the hackers will not alter their behaviour in response”) (Supra note 63, at 27). 166 Finnemore and Hollis 2019, 10-11. 167 Supra note 29, at 556 168 Supra note 13, at 960. Besides heightening the risk of misattribution, this tendency to blame the most obvious culprits prevents alternative explanations from being developed, as well as invites lesser rivals or non-state ac-tors to provoke hostilities. Schulzke argues that “[a]s the risk of being caught diminishes, the costs of attack decrease and the potential benefits become even more attractive” (Supra note 13, at 961).
27
between both countries169. However, no proof was ever offered to support this allegation and
it is believed that the power grid system had been compromised before the hostilities. Had
Ukraine adopted any retaliatory measures, the tension would have heightened and the conflict
could have spilt out of the cyber domain and into the physical world.
It is perhaps useful to underline that the most active participants in the cyber domain
are also some of the world’s most powerful states, to wit: The United States, Russia and China.
Taking into account that each of these states are equipped with a nuclear armoury, misattrib-
uting a cyberattacks could trigger off destructive conflicts with potential to threat the whole
international system, putting a premium on a confident degree of cyber-attribution170. On top
of this, the relative availability and fairly low cost of the technology necessary to launch an
attack171 in cyberspace “leaves the potential for mass destruction within the grasp of far less
sophisticated non-state actors and organizations”172. So, it does not take much imagination to
see the potential threats an unregulated cyber domain pose to international security, economy
and also to states’ infrastructure.
In this regard, inspired by great theorists such as Thomas Schelling, Robert Jervis, and
John Herz, among others, Buchanan took the basic foundation of the security dilemma theory
and employed it to cyberspace. A ‘cybersecurity dilemma’ is said to exist when one country
cannot increase the security of its digital infrastructure, either through the creation of offensive
of defensive cyber capabilities, without decreasing other’s cybersecurity. According to Bu-
chanan, the cybersecurity dilemma can be potentially more dangerous and escalatory than tra-
ditional kinetic conflicts because, in cyber domain, there is a “perception of offense-domi-
nance”173, making defensive measures to be perceived as offensive and threatening. With this
in mind, cyberspace appears to be the perfect environment for the security dilemma to thrive.
The lack of clarity vis-à-vis the intentions and capabilities of cyber warfare, therefore, have the
potential to undermine trust174, rise escalation fears, provoke an arms race or even an interna-
tional armed conflict175. “As cyberoperations become more potent and computer networks
grow still more important, the dilemma’s dangers – already real – will only grow”176.
169 Zetter 2016. 170 Supra note 39, at 192. 171 Supra note 107, at 55. 172 Payne 2016, 684-85. 173 Buchanan 2017, 108-09. 174 Ibid., 191. 175 Jinghua 2019. 176 Ibid., 194.
28
It is well settled that cyberspace is a phenomenon of international relevance. As a result,
the uses and abuses of this borderless virtual domain encroach on states concerns in the physical
world, such as national security, economic development and public order and safety. Cyberse-
curity, like other global challenges faced by the existing international community, extends far
beyond the domain of a single state and, therefore, cannot be appropriately addressed by any
single international actor, regardless of how influential it might be. Given the increasing costs
of insecurity and uncertainty associated with an unregulated cyberspace, international actors
may soon come to realize the necessity of an international legal framework capable of address-
ing cyberattacks.
29
Chapter 4 – International Law and Cybersecurity
In spite of the fact that the principal building blocks of the World Wide Web were laid
more than two decades ago, the community of states was not able to reach a broad international
agreement on how to govern the cyber domain. In fact, some scholars even suggest that cyber-
space seems “resistant to codification of the applicable rules in a comprehensive multilateral
binding treaty”177. Note, however, that the dearth of cyber-specific regulations is not for lack
of trying by major international actors. Already in 1996, the French government pushed for the
creation of the Charter for International Cooperation on the Internet, which would be “an
accord comparable to the international law of the sea”178. The proposal, however, was met with
apathy by other international stakeholders.
Afterwards, in January 2002, the UN General Assembly requested the Secretary-Gen-
eral to settle a group of governmental experts to conduct a study on “relevant international
concepts aimed at strengthening the security of global information and telecommunications
systems”179. The United Nations’ Group of Governmental Experts (GGE) on Developments in
the Field of Information and Telecommunications thus became the leading state-based initia-
tive for the codification of international law vis-à-vis the cyber domain180, but its success was
limited. Between 2004 and 2015, the GGE submitted three reports which expressed the unani-
mous opinion of the state-participants181.
The 2010 report was welcomed with great enthusiasm by the international community
even though it brought an array of “very rudimentary findings and recommendations” 182 and
did not present much legal clarity. However, it highlighted that state actors are developing ICTs
177 Supra note 43. 178 Wu 1997, 660. 179 United Nations General Assembly, Developments in the field of information and telecommunications in the context of international security, A/RES/56/19, 7 January 2002. 180 Supra note 55, at 647. Another worthwhile example of a state-based initiative is the Code of Conduct for Information Security, put forward by China, Russia, Tajikistan and Uzbekistan. The proposal was submitted to the UN General Assembly twice, in 2011 and 2015, but it was not met with enthusiasm by the international community. Note that that the 2015 proposal was also co-sponsored by Kyrgyzstan and Kazakhstan. United Na-tions General Assembly, Letter dated 12 September 2011 from the Permanent Representatives of China, the Rus-sian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General, A/66/359, 14 September 2011; United Nations General Assembly, Letter dated 9 January 2015 from the Permanent Repre-sentatives of China, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary General, A/69/723, 13 January 2015. 181 To wit: Belarus, Brazil, China, Colombia, Egypt, Estonia, France, Germany, Ghana, India, Israel, Italy, Japan, Kenya, Malaysia, Mexico, Pakistan, Qatar, the Republic of Korea, the Russian Federation, Spain, South Africa, the United Kingdom of Great Britain and Northern Ireland, and the United States of America. 182 Henriksen 2019, 2.
30
“as instruments of warfare and intelligence, and for political purposes” and affirmed that
“[u]ncertainty regarding attribution and the absence of common understanding regarding ac-
ceptable State behaviour may create the risk of instability and misperception”183.
In the 2013 report, the GGE reasserted the importance of “common understanding on
norms, rules and principles applicable to the use of ICTs” to advance peace and security184.
More substantially, it recognized that “[i]nternational law, and in particular the Charter of the
United Nations, is applicable and is essential to maintaining peace and stability and promoting
an open, secure, peaceful and accessible ICT environment”185. The Group also claimed that the
principles of sovereignty and state responsibility apply to cyberspace186. Note that, in order to
guarantee unanimity, a draft provision supporting the applicability of International Humanitar-
ian Law (IHL) was excluded from the report187. Even so, many states have publicly endorsed
the application of the laws of armed conflict to the cyber domain. The USA, for instance, is of
the view that “[l]ong-standing international norms guiding state behaviour – in times of peace
and conflict – also apply in cyberspace”188. Similarly, Japan stated that “existing international
law, including the UN Charter and international humanitarian law, naturally applies to acts in
cyberspace”189.
Finally, despite the absence of several important issues and the difficulty in reaching
consensus, the 2015 report was considered a “breakthrough”190. It explicitly mentioned the
General Assembly resolutions on the right to privacy in the digital age191 and noted the princi-
ples of humanity, necessity, proportionality and distinction192, but it did not specifically affirm
that IHL applies to activities in the cyber environment. The GGE further suggested that “[v]ol-
untary, non-binding norms of responsible State behaviour” may prevent conflict in cyberspace
183 United Nations General Assembly, Group of Governmental Experts on Developments in the Field of Infor-mation and Telecommunication in the Context of International Security, UN Doc. A/65/201, 30 July 2010, para. 7. 184 United Nations General Assembly, Group of Governmental Experts on Developments in the Field of Infor-mation and Telecommunication in the Context of International Security, UN Doc. A/68/98*, 24 June 2013, para. 4. 185 Ibid., para. 19. 186 Ibid., para. 20-23. 187 Supra note 42, at 13. 188 United States, The White House, International Strategy for Cyberspace: Property, Security, and Openness in a Networked World, May 2011, 9. 189 Japan, Information Security Policy Council, International Strategy on Cybersecurity Cooperation, October 2013, 9. 190 Marks 2015. 191 The document referenced the UN General Assembly resolutions 68/167 (2013) and 69/166 (2014). United Nations General Assembly, Group of Governmental Experts on Developments in the Field of Information and Telecommunication in the Context of International Security, UN Doc. A/70/174, 22 July 2015, para. 13(e). 192 Ibid., para. 28(d).
31
and minimise risks to international peace, security and stability193. A final point to consider is
that the Group claimed that “accusations of organizing and implementing wrongful acts
brought against States should be substantiated”194. A problem, however, is that at no time the
report clarified what kind of or how much evidence would be necessary to ‘substantiate’ an
accusation195.
It is perhaps useful to point out that, since the 2015 report, the Russian Federation and
China, along with several other states, have continued to advocate for the view that accusations
ought to be substantiated196. On the other end of the spectrum, the USA, France and the United
Kingdom share the position that, under public international law, there is no evidentiary require-
ment for making accusations. In this regard, U.S. State Department Legal Adviser Brian J.
Egan stated that:
[D]espite the suggestion by some States to the contrary, there is no international legal
obligation to reveal evidence on which attribution is based prior to taking appropriate
action. There may, of course, be political pressure to do so, and States may choose to
reveal such evidence to convince other States to join them in condemnation, for exam-
ple. But that is a policy choice – it is not compelled by international law197.
This position was reiterated by the U.K. former Attorney General Jeremy Wright, who ex-
plained that “[t]here is no legal obligation requiring a state to publicly disclose the underlying
information on which its decision to attribute hostile activity is based”198. More recently,
France echoed the same opinion199.
In 2017, the GGE was supposed to submit another report to the UN General Assembly,
but the experts failed to reach consensus due to disagreements over controversial areas of in-
ternational law, such as the right of self-defence, countermeasures, and IHL. According to He-
rinksen, the collapse of the UN GGE initiative was “fairly predictable”200 because the debate
vis-à-vis the regulation of cyberspace is “as much about strategy, politics and ideological
193 Ibid., para. 10. 194 Ibid., para. 28(f). 195 Supra note 63, at 19. 196 For instance, they formally presented a draft UN General Assembly resolution in 2018, asserting that “[s]tates should note that accusations of organizing and implementing wrongful acts brought against States should be substantiated”. (United Nations General Assembly, Developments in the field of information and telecommuni-cations in the context of international security, UN Doc. A/C.1/73/L.27*, 22 October 2018, para. 10. 197 Egan 2017, 177. 198 Wright 2018. 199 “[L]e droit international ne contraint pas les Étais à communiquer les éléments de preuve sur lesquels ils se fondent pour attribuer publiquement une cyberattaque” (Ministère des Armées, République Française, Droit International Appliqué aux Opérations dans le Cyberspace, 2019, 11). 200 Supra note 151.
32
differences (if not more so) than it is about law”201. The Group held promise for the clarification
of cyber-related customary international law, but it left the global community with an unre-
solved legal conundrum in which opinions appear to be diverging and solidifying instead of
converging202. Yet, the GGE reports were a welcomed first step for the discussion on interna-
tional cyber norms and remain extremely relevant203.
One encouraging conclusion is that, in spite of the lack of a specific legal framework,
cyberspace is certainly not a lawless domain beyond the control of public international law. As
it has been pointed out, it is well settled that general principles and rules of international law
also apply to cyber operations204. Indeed, if international law is to be an effective governance
arrangement, it should be flexible to new situations without the necessity to recreate a whole
set of rules on each occasion205. The development of nuclear weapons is a prime example of
this. When the UN Charter was being elaborated, its “framers could not be aware of the threat
of nuclear weapons”206 and therefore the legal instrument did not include this type of armament
in its provisions regarding the use of force. Yet, decades later, the ICJ provided an advisory
opinion arguing that Articles 2(4) and 51 of the UN Charter, concerning the prohibition of the
use of force and self-defence respectively, apply to “any use of force, regardless of the weapons
employed”207. By this logic, the body of international law that governs the use of force should
apply to cyber activities, too208. Despite these advances, however, many underlying questions
remain virtually unanswered. Perhaps most importantly, how are international legal norms sup-
posed to apply to the complex cyber domain?209
201 Ibid. 202 Korzak 2017. 203 Supra note 55, at 648. 204 According to Henriksen, the 2013 UN GGE report “reflected an emerging consensus that cyberspace is subject to the same general principles of international law that governs the more physical domains” (Henriksen 2019, 3). The remaining question, therefore, is which international law? 205 Supra note 42, at 9. On this point, the United States claims that “[t]he development of norms for state conduct in cyberspace does not require a reinvention of customary international law, nor does it render existing inter-national norms obsolete” (United States of America, International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World, May 2011, 9). 206 International Court of Justice, Legality of the Use by a State of Nuclear Weapons in Armed Conflict (Request for Advisory Opinion Submitted by the World Health Organization) and Legality of the Threat or Use of Nuclear Weapons (Request for Advisory Opinion Submitted by the General Assembly of the United Nations), CR 95/25, 1995, para. 46. 207 International Court of Justice, Reports of Judgements, Advisory Opinions and Orders, Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion of 8 July 1996, para. 39. 208 “[T]he mere fact that a computer (rather than a more traditional weapon, weapon system, or platform) is used during an operation has no bearing on whether that operation amounts to a ‘use of force’”. Schmitt 2013, 45 (hereinafter ‘Tallinn Manual’); Schmitt 2017, 328 (hereinafter ‘Tallinn Manual 2.0’). See section 4.1 infra for a detailed debate on the Tallinn initiative. 209 Osula and Rõigas 2016, 14.
33
Note that, besides the general principles and rules of international law, there are some
regional and sectorial legal regimes that are not precisely focused on cybersecurity but never-
theless provide tools that may be used to address specific forms of malicious cyberattacks210.
These include, principally, the 1944 Chicago Convention on International Civil Aviation211,
the 1982 United Nations Convention on the Law of the Sea (UNCLOS)212, the 1992 Constitu-
tion and Convention of the International Telecommunication Union213, the 2001 Convention
on Cybercrime214 and its Additional Protocol215, the 2009 Information Security Agreement of
the Shanghai Cooperation Organization216, and the 2014 African Union Convention on Cyber-
security and Personal Data Protection217. This “patchwork of regulations”218, however, only
govern a small portion of the activities in cyberspace or have a very limited number of mem-
bers219. Therefore, they do not offer a comprehensive or effective framework for dealing with
all forms of cyber operations.
With this in mind, one should be cognizant that, even though cybersecurity has certainly
drawn huge attention in recent years, short-term prospects for the establishment of a far-reach-
ing international treaty or the formation of new customary international law have been de-
scribed as “not encouraging”220, “doubtful”221, and even “unfeasible”222. Given this gloomy
picture, scholars, cyber-experts, and international stakeholders have been attempting to fill the
normative void with their views on how international law applies to the cyber domain. Note
that these non-state-driven initiatives were only possible because of the “power vacuum” cre-
ated by states’ reluctance to undertake the international law-making process223. As a result, by
210 Hathaway et al. 2012, 866. 211 Convention on International Civil Aviation, 7 December 1944. 212 United Nations, United Nations Convention on the Law of the Sea. According to Hathaway et al., Article 19(k) UNCLOS “could be read to prohibit cyberattacks that make use of computer systems on vessels that are at sea” (Hathaway et al. 2002, 873). 213 United Nations, Constitution and Convention of the International Telecommunication Union, vol. 1825 no. 31251, 22 December 1992. 214 Council of Europe, Convention on Cybercrime, ETS No. 185, 23 November 2001. 215 Council of Europe, Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems, ETS No. 189, 28 January 2003. 216 Agreement between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security, 16 June 2009. 217 African Union Convention on Cybersecurity and Personal Data Protection, 27 June 2014. 218 Supra note 178, at 873. 219 Supra note 42, 12. Note that, despite its recently expansion, the Shanghai Cooperation Organization remains a very limited international organization, with only eight members (China, Kazakhstan, Kyrgyzstan, Russian Fed-eration, Tajikistan, Uzbekistan, India and Pakistan). 220 Supra note 39, at 195 221 Supra note 42, at 47. 222 Goldsmith 2011, 12. 223 Supra note 42, at 12-13.
34
moving into this vacated norm-creating space that once was occupied exclusively by state ac-
tors, the private sector and academia have been acting as norm entrepreneurs224.
4.1 Leading non-state initiatives
Different proposals have been put forwards with distinct scopes of organizational struc-
ture, stakeholder participation, and activity to potentially protect the stability and resiliency of
the global digital environment225. This subject, however, warrant a more extended discussion
than I can here give it. In this sense, this study focuses on the two leading non-state-driven
initiatives that epitomize the phenomenon described above: the Tallinn Manual Project and
Microsoft’s proposals.
The first non-state initiative that tried to address cyberattacks and increase international
cybersecurity was the Tallinn Project, which brought together an international group of inde-
pendent experts led by Professor Michael Schmitt. The project published two editions of the
Manual, respectively in 2013226 and 2017227, under the auspices of the NATO CCD COE. Their
texts, however, must not be seen as representing the views of NATO or sponsoring nations.
Rather, the Manuals should be understood as a reflexion of the views of the of experts, all
acting in their own private capacity228. It should be noted that this project is neither an interna-
tional treaty on cyber law nor does it set forth lex ferenda, but it is a restatement of international
law as it is – lex lata229.
The 2013 edition, entitled the Tallinn Manual on the International Law Applicable to
Cyber Warfare, pays particular attention to cyber activities that occur above the level of use of
force and encompasses purported rules of customary international law, the larger part of which
related to the jus ad bellum (the law governing the use of force)230 and the jus in bello (the law
224 Finnemore and Hollis 2016, 446; According to Finnemore and Sikkink, norm entrepreneurs are “agents having strong notions about appropriate or desirable behaviour in their community” (Finnemore and Sikkink 1998, 896-97). Henry Dunant, the founder of the International Committee of the Red Cross, is a prime example of norm entrepreneurship. 225 For instance, Chernenko et al. recommend the creation of an “independent, international cyber court or arbitrage method that deals only with government-level cyber conflicts” (Chernenko et el. 2018). RAND’s State-less Attribution report, on the other hand, suggests an international organization for cyber-attribution, the Global Cyber Attribution Consortium, which would involve “a broad team of international experts to conduct independent investigations of major cyber incidents for the purpose of attribution” and would operate “without standing state participation” (Supra note 3, at 27-31). 226 Supra note 178. 227 Ibid. 228 Tallinn Manual, 23; Tallinn Manual 2.0, 2. 229 Tallinn Manual, 19; Tallinn Manual 2.0, 3. 230 Tallinn Manual, rules 10-19.
35
of armed conflict)231. The Manual was considered to be a “remarkable achievement”232 and,
according to Banks, provided “much-needed confidence for states that international law applies
in the cyber domain”233. Early reviews, nevertheless, criticized the project’s emphasis on cyber
operations that amount to use of force since, in reality, the majority of, if not all, cyber activities
fall below the use of force threshold234. Another major criticism of the Tallinn Manual is the
dearth of geographic diversity among the group of experts, all of whom hail from Western
Europe, Australia, and the USA. Consequently, the impartiality of the project is challenged,
hindering its acceptability and application by states outside the Global North. China, for in-
stance, has been very critical of the whole Tallinn initiative since it seems to be a North Amer-
ican attempt to “maintain US dominance in the information age”235. As noted by Eichensehr,
the Manual is “channelling, even though not officially representing, a particular worldview
with respect to the laws of armed conflict”236.
In the 2013 Tallinn Manual, no effort was made to establish legal criteria for attributing
blame for cyberattacks237 and attribution is addressed as a problem, instead of “a realistic task
having technical, political and legal aspects”238. Still, some provisions may shed light on the
attribution problem. For example, Rule 5 asserts that “a state shall not knowingly allow the
cyber infrastructure located in its territory or under its exclusive governmental control to be
used for acts that adversely and unlawfully affect other States”239. Note that this provision re-
states in cyber terms the principle put forward in the ICJ’s Corfu Channel Judgement240. The
experts were able to reach consensus on the scope of application of Rule 5241, but they could
231 Tallinn Manual, rules 20-95. 232 Ingber 2017, 1531. 233 Supra note 33, at 1494. 234 Supra note 42, at 16. On this topic, Xinmin explains that the majority of cyberattacks are perpetrated by non-state actors, which are generally seen as cybercrime or infringement of cyber rights that should be governed by domestic criminal law or the law of torts. Also, she points that “[e]ven if some of these attacks are conducted by states or may be attributable to states, most of them fall far below the threshold of ‘threat of use of force’ or ‘armed attack’. Instead, they are only cyber-attacks of minimal levels of intensity, which are comparable to other internationally wrongful acts such as interference with internal affairs of other states” (Xinmin 2016, 189-29). 235 Supra note 152, at 4. 236 Eichensehr 2014, 588. 237 Fleck 2013, 338. 238 Ibid., 334-35. 239 It is important to point out that this rule has since been included in the 2015 UN GGE report: “[s]tates should not knowingly allow their territory to be used for internationally wrongful acts using ICTs” (Supra note 161, para. 13 (c)). 240 “Such obligations are based […] on certain general and well-recognized principles, namely: […] every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”. Interna-tional Court of Justice, The Corfu Channel Case, Merits, 9 April 1949, 22. 241 “As to scope of application, this Rule covers all acts that are unlawful and that have detrimental effects on another state. (Tallinn Manual, Rule 5, para. 5, 33).
36
not agree whether this rule applies (1) to states through which cyberattacks are routed242, (2) to
states that only have constructive knowledge243, and (3) to situations in which the relevant acts
are purely prospective244.
Other noteworthy provision in the Manual is Rule 6, which affirms that “a State bears
international legal responsibility for a cyber operation attributable to it and which constitutes a
breach of an international obligation”. In this regard, the experts agreed that, in specific cir-
cumstances, the acts of non-state actors might be attributable to a state and therefore cause that
state’s international legal responsibility245. The non-state actor, however, must be either acting
“on the instructions of” or “under the direction or control” of that state246.
In 2017, the Tallinn Manual 2.0 on the International Law Applicable to Cyber Opera-
tions was published, expanding considerably the scope of the project. Now, it also includes the
analysis of the international legal framework that applies to malicious cyberattacks that do not
meet the use of force threshold. Furthermore, the new Manual addresses peacetime legal re-
gimes, such as state responsibility, human rights law, and the laws of space, air, and the sea.
On the whole, the Tallinn 2.0 “reflects a careful effort to move international law forward in the
challenging domain of cyberspace”247. Mačák further echoes this idea by arguing that the ex-
pansion and revision of the document will probably “further strengthen the project’s overall
relevance as well as its claim to authority”248. Banks, on the other hand, explains that the Tal-
linn 2.0’s provisions and commentaries are “necessarily general in nature, sometimes ambigu-
ous, and do not necessarily reflect settled international law”249.
Regarding cyber-attribution, in spite of the expectations surrounding its publication, the
2017 Tallinn Manual did not go any further than the previous edition in providing an effective
legal solution to the attribution problem250. Rather, the experts limited their analysis of cyber-
attribution to the well-established Articles on State Responsibility, codified by the ILC251. This
body of law, as its name suggests, only offers prescriptive norms when there is a state nexus
242 Tallinn Manual, Rule 5, para. 12. 243 Tallinn Manual, Rule 5, para. 11. 244 Tallinn Manual, Rule 5, para. 7. 245 Tallinn Manual, Rule 6, para. 9. 246 Ibid. 247 Ginsburg 2017, 205. 248 Supra note 42, at 17. 249 Supra note 33, at 1494. 250 Supra note 55, at 643. 251 Rules 14-19 of the Tallinn Manual 2.0 basically import noncyber discussions on state responsibility to cyber-space.
37
and, therefore, provides no legal understanding vis-à-vis the attribution of cyberattacks to non-
state actors operating on their own252.
Despite criticism, the Tallinn initiative provides a comprehensive and attentive analysis
of how the jus ad bellum and jus in bello applies to the cyber environment, along with valuable
commentaries on controversial issues that need to be further discussed. Even though the reli-
ance on Western-centric approaches might handicap Tallinn’s acceptance in non-Western
countries, such as China and the Russian Federation, the project still is an essential tool for
scholars, international lawyers, policymakers, and international stakeholders253.
In 2014, Microsoft Corporation published a white paper entitled International Cyber-
security Norms: Reducing Conflict in an Internet-Dependent World254. It was the first thorough
proposal to seek the definition of acceptable and unacceptable state conducts online, with the
purpose of decreasing risks and bringing predictability and stability to the international sce-
nario255. In short, Microsoft proposed six cybersecurity norms to limit conflict and improve
cyber defences256. These norms are intended to “reduce the possibility that ICT products and
services could be used, abused, or exploited by nation states as part of offensive operations”257.
Note that, like both editions of the Tallinn Manual, Microsoft’s white paper suggests guidelines
of state conduct and is openly state-centric in its approach258.
The project was widely criticized for emphasizing the role of states and thus overlook-
ing the relevance of the private sector, in particular the global ICT industry, for the promotion
of international cybersecurity259. In response to these claims, Microsoft released another white
paper, From Articulation to Implementation: Enabling Progress on Cybersecurity Norms, in
which the Corporation outlines six further cybersecurity norms. This time, however, the norms
were directed at ICT companies260. For instance, the paper calls upon the ICT industry to “assist
public sector efforts to identify, prevent, detect, respond to, and recover from events in
252 Supra note 33, at 1495. 253 Supra note 209, at 585. 254 Note that Microsoft’s proposal was not the first time a private company put forward an initiative of this kind. Already in 1999, the CEO of AOL, Steve Case, strongly recommended states to “revis[e] outdated and ‘country-centric’ laws on telecommunications and taxes that could thwart the growth of the medium” and instead sup-port “international standards – from security, to privacy, to taxation”. (Case, Steve, Remarks Prepared for Deliv-ery (via satellite) Israel ’99 Business Conference’, 13 December 1999, cited in Goldsmith and Wu 2006, 26) 255 McKay 2014, 2. 256 For the complete list of the proposed cybersecurity norms, see McKay 2014, 20. 257 Ibid., 11. 258 Supra note 42, at 17. 259 Charney et al. 2016, 3. 260 Ibid.
38
cyberspace”261. Furthermore, in 2017, the President of Microsoft, Brad Smith, proposed the
adoption of a “Digital Geneva Convention” to protect civilians from nation-state cyberat-
tacks262. Such a convention would include an independent attribution organization that could
“address cyber threats in a manner like the role played by the International Atomic Energy
Agency in the field of nuclear non-proliferation”263. This organization would also facilitate
cooperation between academia, governments, technology companies, and civil society in the
sphere of cyber-attribution.
Note that, while the rules brought by the Tallinn Manuals articulate purported custom-
ary international obligations that by themselves are binding on all states, except persistent ob-
jectors264, the norms put forward by Microsoft’s proposals are only broad suggestions that do
not create any right or legal obligation. In other words, Microsoft’s norms are “more aspira-
tional than realistic” and require states to translate them into legally binding rules, which takes
time and commitment265. Despite this difference, both initiatives have in common the fact that
they are non-state-driven, quasi-legal instruments which do not have any legally binding
force266. In other words, they are soft law rules267. In fact, the Tallinn Manuals and Microsoft’s
white papers could hardly amount to anything but a non-binding document268 since states still
are “the legislators of the international legal system” 269. That said, one may call into question
the importance of these initiatives for the development of international law. Is soft law an au-
thentic law? Is soft law effective to produce norms despite its non-binding nature?
261 Ibid., 8. 262 Smith 2017. 263 Ibid. 264 Tallinn Manual 2.0, 4. According to Currie, a persistent objector is a “state that clearly and consistently man-ifests its objection to a rule of international law since its inception, thereby escaping its universally binding effect. (Currie 2008, 587). 265 Supra note 228, at 3 266 In its introduction, the 2013 Tallinn Manual affirmed that it was designed to be “a non-binding document” (Tallinn Manual, 16). By contrast, in the Tallinn Manual 2.0, there is no indication that the it ought to be seen as a non-binding document. Regarding Microsoft’s proposals, the 2014 paper “encourages” governments to trans-form the proposed norms into politically and legally binding rules (Supra note 228, at 3). 267 Snyder defines ‘soft law’ as those “rules of conduct which, in principle, have no legally binding force but which nevertheless may have practical effects” (Snyder 1993, 32). Soft Law is normally included within non-binding legal instruments, such as recommendations, declarations, codes of conduct, guidelines, and opinions. Zerilli notes that “even a simple draft proposal elaborated by groups of international experts could possibly fit into the soft law category” (Zerilli 2010, 9). 268 Supra note 42, at 18-19. 269 Talmon 2005, 175.
39
4.2 The value of soft law
According to Besson, international legal norms might have different levels of norma-
tivity270, ranging from “being low (or soft) as with legal norms in the making to being impera-
tive as with norms of jus cogens”271. Certainly, the Tallinn Manual project and Microsoft’s
papers have a lower degree of legal normativity than binding international rules272. Indeed, as
stated by the ILC on its study on the Identification of Customary International Law, the “con-
duct of other actors [than states] is not practice that contributes to the formation, or expression,
of rules of customary international law”273. This, however, does not imply that these initiatives
are utterly irrelevant for the law-making process or even to the development of cyber law. Quite
the opposite, considering the normative plurality in international law, non-state-driven initia-
tives of this kind might be valuable both in quantity and quality274. For Thirlway, “soft law is
a vital intermediate stage towards a more rigorously binding system, permitting experiment
and rapid modification”275.
Moreover, even though these intermediary legal products are not “valid legal norms”,
they might possess a certain evidentiary importance in the next stages of the development of
rules of international law276. Put differently, non-binding documents, such as UN resolutions,
might evince the existence of both opinio juris and state practice which could later support the
formation of customary norms277. By this logic, hard and soft laws are not mutually exclusive
and should be seen as “tools provided with a different degree of normativity along a contin-
uum”278. It also should be noted that soft law-making processes normally involve non-state
actors and thus are more “multicultural and inclusive” than others279.
270 By ‘normativity’, I mean “the law’s claim to authority, that is, its claim to provide its legal subjects with exclu-sionary albeit prima facie reasons for action through binding legal norms or in other words its claim to create obligations to obey the law that in principle preclude some countervailing reasons for action” (Besson, 2010, 173). 271 Ibid., 174. 272 Supra note 42, at 19. 273 International Law Commission, Draft Conclusions on Identification of Customary International Law, with Com-mentaries, 2018, A/73/10, conclusion 4 (3), 130. 274 Supra note 240, at 170. 275 Thirlway 2019, 186-87. 276 Supra note 240, at 170. 277 Ibid. As pointed by the ILC, non-state practice “may be relevant” when assessing the practice of states (Su-pra note 243). 278 Zerilli 2010, 11. 279 Supra note 240, at 170-171. Regarding soft law, Joyner has interesting points that are worthwhile looking at. For instance, he notes that states are usually “more willing to be innovative when the adopted instrument is not legally binding” (Joyner 1998, 414).
40
According to Article 38(1) of the Statute of the ICJ, scholarly works are a secondary
source of public international law that informs the application of primary sources280. Hence, it
seems fair to conclude that the aforementioned initiatives are not only highly pertinent, but also
“likely to prove especially influential” 281. Nevertheless, this situation is by no means ideal
since states, and only states, hold the formal authority to create international law282. As Judge
Higgins aptly put it, “[s]tates are, at this moment of history, still at the heart of the international
legal system”283. However, it is important to bear in mind that the norms proposed by both the
Tallinn Manual Project and Microsoft’s papers might “mature through codification into treaty
law or crystallise into customary law”, so that they delineate the exact limits of activities in
cyberspace284.
This dynamic is certainly not without precedent. The Antarctic legal regime is the epit-
ome of this. In the 1960s and 1970s, many non-legally binding norms were brought in with
high hopes of conserving both living and non-living resources of Antarctica285. Joyner argues
that the adoption of these non-binding instruments laid the international legal foundation for
the treaty that was yet to come286. Ultimately, the majority of these norms were codified into
the 1991 Protocol on Environmental Protection to the Antarctic Treaty, a binding agreement
that has been ratified by all major international actors, including the USA, China, and Russia287.
Another prime example is the international nuclear safety regime. Even though pro-
posals to establish a legally-binding international treaty were put forward since the 1960s,
states were generally “disinclined to go beyond the recommendatory nature of the safety stand-
ards” issued by the International Atomic Energy Agency (IAEA)288. This situation, however,
280 “The Court, whose function is to decide in accordance with international law such disputes as are submitted to it, shall apply: (a) international conventions, whether general or particular, establishing rules expressly recognized by the con-testing states; (b) international custom, as evidence of a general practice accepted as law; (c) the general principles of law recognized by civilized nations; (d) subject to the provisions of Article 59, judicial decisions and the teachings of the most highly qualified publi-cist of the various nations, as subsidiary means for the determination of rules of law”. United Nations, Statute of the International Court of Justice, 18 April 1946, Article 38 (1). 281 Schmitt and Vihul 2016, 47. 282 Supra note 42, at 19. 283 Higgins 1994, 39. 284 Supra note 250. 285 Joyner 1998, 420. In the 1960s, more than seventy recommended measures were adopted by the Antarctic Treaty Consultative Party Meetings (ACTMs); and in 1970s, more than fifty were adopted. 286 Ibid. 287 Protocol on Environmental Protection to the Antarctic Treaty, October 1991, United Nations Treaty Series, vol. 2941, A-5778. 288 Nuclear Energy Agency and Organisation for Economic Cooperation and Development, Joint Report on Inter-national Law in the Post-Chernobyl Period, 2006, NEA No. 6146, 13.
41
changed rapidly after the Chernobyl accident, which exposed the costly transboundary conse-
quences of unsafe nuclear activity289. The 1986 disaster gave rise to an international legally-
binding regime for the safe development of nuclear energy, which slowly transformed the
safety standards and other relevant non-binding norms into hard law rules290.
One must be aware, however, that the cyber domain differs in important ways from the
Antarctic and the nuclear regimes. Perhaps the most notable difference is that, while the law-
making process vis-à-vis cyberspace has been spearheaded by non-state-driven initiatives, the
development of binding rules for international nuclear safety and the conservation of Antarctica
had been led mainly by state actors. Yet, these two regimes are valuable examples that illustrate
the codification of soft law norms291. With this in mind, the current status of cyber international
law should be seen as an early stage towards the codification or crystallisation of cyber hard
law292. The question that needs to be addressed, therefore, is whether states will finally rise to
the challenge.
289 Shull 2008, 4. 290 To wit: Convention on Early Notification of a Nuclear Accident, 1986, INFCIRC/335; Convention on Assistance in the Case of a Nuclear Accident or Radiological Emergency, 1986, INFCIRC/336; Convention on Nuclear Safety, 1994, INFCIRC/449; Joint Convention on the Safety of Spent Fuel Management and on The Safety of Radioactive Waste Management, 1997, INFCIRC/546. 291 Supra note 42, at 21. 292 Ibid.
42
Chapter 5 – Conclusion
The 2007 Estonian attacks, as well as other cyberattacks mentioned in this study, illus-
trate the severity of the threats facing states’ cybersecurity, and the equally important challenge
of implementing a legal framework for attributing blame for cyber activities. Given the ever-
growing reliance on ICTs and the increasing frequency, intensity, and complexity of cyberat-
tacks, a solution for the attribution problem is crucial for both promoting a (relatively) stable
world order and reducing the chances of conflict stemming from cyberoperations293. Note,
however, that this solution does not lie in the technical domains, as previously thought294. Prag-
matically, the most relevant hurdles for cyber deterrence nowadays are not poor technical ca-
pabilities since, from a technical standpoint, tools for attribution have matured significantly in
recent years295, increasing states’ confidence vis-à-vis assigning blame for malicious cyberat-
tacks296. Rather, the solution for this issue lies in the realm of international law and cooperation.
As transnational terrorism, migration crises, and other security challenges that plague
the international community, the attribution problem cannot be appropriately tackled by any
single international entity, regardless of how strong and influential that entity might be297. In-
stead, these modern phenomena require a framework for active global collaboration. It is inter-
national law that “affords [such] a framework, a pattern, a fabric for international society”298.
Nevertheless, in the context of the computer network, it seems that international law fails to
deliver. Even though states have agreed that public international law applies to cyberactivity,
there is no broad multilateral agreement on how to govern cyberspace299 and, therefore, it is as
yet uncertain how the international legal framework applies to this new, complex domain.
This difficulty in the application of traditional rules and principles of international law,
in order to properly address cyber challenges, results from a number of reasons300. Perhaps the
most relevant of them is the attachment of this body of law to state-centric assumptions and
foundations of the early formative stage of the international legal system301. By placing state
293 Supra note 3. 294 Supra note 10, at 28. 295 Supra note 33, at 1502. 296 Supra note 43, at 137. By way of an example, the USA has declared that it has the ability to identify and hold their cyber opponents accountable (Fryer-Biggs 2012). Indeed, in the last few years, the U.S. government has attributed high-profile cyberattacks, such as the 2014 intrusion at Sony Pictures Entertainment and the 2016 DNC hack, respectively, to North Korean and Russia (Supra note 42, at 23-24). 297 Supra note 42, at 2. 298 Henkin 1978, 5. 299 Moynihan 2019, 4. 300 Supra note 2, at 375. 301 Supra note 7, at 610-11.
43
actors at the heart of its legal regimes, public international law requires in almost all situations
a state link so as to determine either an international legal obligation or an internationally
wrongful act302. In an environment where non-state actors are as powerful, if not more so, than
states, it seems fair to conclude that this legal system grounded in the traditional state-centric
perspective of international law is not suitable or even adequate to address challenges posed by
cyberspace and the rapid development of ICTs303. In this sense, as long as states refuse to rec-
ognize the existence and the importance of other international players, any effort to govern
cyberspace and to establish legal mechanisms for cyber-attribution will fall short.
As it stands now, international law not only fails in effectively dealing with the attrib-
ution problem, but also is unlikely to be instrumental in providing both predictability and sta-
bility to cyberspace in the short and medium-terms. Besides the lack of clarity of the law in
this area, governments have been unwilling to clearly express their existing norms and practices
in relation to the cyber domain, impeding the formation of customary international law and
increasing unpredictability of state behaviour304. Note that, in spite of the constructive contri-
bution made by non-state initiatives, public international law is lagging far behind in many
respects and thus continues to be underdeveloped vis-à-vis cyber-attribution.
Before proceeding, two points still need to be considered. First, by filling the void cre-
ated by states’ reluctance to undertake the international law-making process, non-state-driven
initiatives, especially the Tallinn Manuals and Microsoft’s proposals, have been providing
much-needed clarity to some grey areas of international cyber law305. These initiatives, how-
ever, are constrained by their state-centric approaches, non-binding character, and interpreta-
tive methods, which usually lack the necessary legal safety306. Therefore, non-state initiatives
represent a relevant but primitive point in the discussion about the application of international
law to the cyber domain307. They should be seen as a means to an end, not an end in itself308.
302 Ibid. 303 According to Schmitt and Watts, the cyber domain and cyberactivity have bridged ”a number of formerly significant gaps between states’ and non-state actors’ abilities to compromise international peace and security. in fact, some non-state actors now match, if not exceed, the cyber capabilities of many states in this respect” (Supra note 7, at 595). 304 Supra note 33, at 1509. 305 Supra note 42, at 1. 306 Supra note 2, at 381. For instance, the Tallinn Manual 2.0 limited its analysis of cyber-attribution to the basic principles of State Responsibility, as codified by the ILC. However, as its name suggests, this body of law can only be applied when there is a state nexus. 307 Supra note 33, at 1513. 308 In this regard, Mačák points out that non-state initiatives might serve “as norm-making laboratories”, per-mitting states to identify and assess advantages and disadvantages of a number of proposals (Supra note 42, at 30-31).
44
To put it differently, this situation marks an early stage towards the formation of cyber hard
law, for the non-binding norms presented by these initiatives might, over time, mature through
either codification or crystallisation.
Second, if states genuinely wish to address the problem of cyber-attribution, they can
do so; they have the technological capabilities and all the necessary legal power. After all,
states are still at the heart of the international legal framework309 and are the only ones to hold
the formal authority to create international rules310. This argument generates an obvious puzzle,
however: why then do they not solve this conundrum? The answer to this question lies on the
fact that some countries may benefit from the current state of affairs, characterized by uncer-
tainties and the lack of express cyber norms311. States that possess the most advanced cyber
capabilities – such as the United States, Russia, China, and likely North Korea – may take
advantage of the cyber domain in order to fulfil their national interests in the physical world312.
For instance, the USA has allegedly used an extremely sophisticated computer worm, called
Stuxnet, to destroy numerous centrifuges in an Iranian nuclear facility313, thwarting the pro-
spects of Iran developing nuclear weapons and thus securing American geopolitical interests
in the Middle East.
By this logic, if states believe that by acting in unregulated cyberspace their gains offset
their losses, there will be no incentive for them to promote the regulation of this domain or to
solve the attribution problem. This might help to explain why state actors have been so reluctant
to engage in the cyber law-making process, as well as to express clear opinio juris with respect
to cyberspace. Considering the ever-increasing costs of insecurity and uncertainty related to an
ungoverned cyber domain, states may soon come to realize the necessity of an international
legal framework capable of addressing cyberattacks314. As Professor Koh aptly put it, “com-
pliance with international law frees us to do more, and do more legitimately, in cyberspace, in
a way that more fully promotes our national interests”315. Therefore, one can only hope that
309 Supra note 283. 310 Supra note 42, at 19. 311 Supra note 33, at 1511. 312 It should be noted that the former U.S. Secretary of Defence Leon Panetta stated that the American govern-ment was “developing the plans that needed to be developed to ensure the United States would remain one of the strongest players in the cyber arena” (Stone 2019). 313 Zetter 2014a. 314 Note, however, that this process might already be in motion, as illustrated by the 2015 cyber agreement between the United States and China (Harold 2016; Supra note 42, at 27). 315 Koh 2012, 10.
45
states do not wait for the occurrence of a “cyber 9/11” 316 or a “cyber Pearl Harbour” 317 to
overcome their aversion to engaging in the development of international cyber law.
In the meantime, cyberspace will continue to be an environment that offers the perfect
conditions for the security dilemma to thrive and in which the activities of both state and non-
state actors can trigger off conflicts causing widespread harm to societies, the global economy,
and the international security system. With this in mind, international stakeholders and policy-
makers should strive to increase transparency, so as to bridge the existing trust gaps inside the
international community. Overall, greater transparency reduces misperceptions and conflict
spirals and, consequently, leads to cooperation and better cybersecurity.
It is important to point out that, due to time constraints, this thesis was not able to assess
the role played by the private sector in attributing blame for cyberattacks or to analyse non-
Western approaches to the international rule of law in the cyber domain. Future researches,
therefore, should attempt to explore these topics.
316 Fazzini 2018. 317 Supra note 312.
46
Bibliography
Articles, Reports and Books
Ablon, Lilian et al. 2019. “Operationalizing Cyberspace as a Military Domain: Lessons for
NATO”. RAND Corporation, Perspectives, PE-329-NATO, 42 p.
Andersen, Morten Skumsrud. 2018. “Balance of Power”. In: Martel, Gordon (ed.). 2018. The
Encyclopaedia of Diplomacy, John Wiley & Sons, Ltd., 12 p.
Banks, William C. 2017. “State Responsibility and Attribution of Cyber Intrusions After Tal-
linn 2.0.” Texas Law Review, 95 (7), 1487-1513.
Banks, William C. 2019. “The Bumpy Road to a Meaningful International Law of Cyber At-
tribution”. AJIL Unbound, 113, 191-196.
Besson, Samantha. 2010. “Theorizing the Sources of International Law”. In: Besson, Samantha
and John Tasioulas. “The Philosophy of International Law”, Oxford University Press, 163-
186.
Bluth, Christoph. 2011. “The Security Dilemma Revisited: a paradigm for international secu-
rity in the twenty-first century?”. The International Journal of Human Rights, 15:8, 1362-
1377.
Boevert, W. Earl. 2010. “A Survey of Challenges in Attribution”. In: Committee on Deterring
Cyberattacks (ed.), Proceedings of a Workshop on Deterring Cyberattacks, 41-54.
Boutin, Berenice. 2019. “Shared Responsibility for Cyber Operations”. AJIL Unbound, 113,
197-201.
Brecher, Aaron P. 2012. “Cyberattacks and the Covert Action Statute: Towards a Domestic
Legal Framework for Offensive Cyberoperations”. Michigan Law Review, vol. 111, issue
3, 424-452.
Brenner, Joel. 2011. America the Vulnerable: Inside the New Threat Matrix of Digital Espio-
nage, Crime, and Warfare. The Penguin Press: New York.
Buchanan, Ben. 2017. The Cybersecurity Dilemma: Hacking, Trust and Fear between Nations.
New York: Oxford University Press.
Carlin, John P. 2016. “Detect, Disrupt, Deter: A Whole-of-Government Approach to National
Security Cyber Threats”. Harvard National Security Journal, 7, 391-436.
Carlsnaes, Walter et al. 2002. Handbook of International Relations. SAGE Publications Inc.,
571 p.
Charney, Scott et al. 2016. “From Articulation to Implementation: Enabling Progress on Cy-
bersecurity Norms”. Microsoft Corporation, 15 p.
47
Chircop, Luke. 2018. “A Due Diligence Standards of Attribution in Cyberspace”. International
and Comparative Law Quarterly, vol. 67, 643-668.
Clark, David D., and Susan Landau. 2011. “Untangling Attribution”. Harvard National Secu-
rity Journal, 2. “Public International Law”. Irwin Law Inc., Second Edition, Toronto, 619
p.
Clarke, Richard A., and Robert K. Knake. 2010. Cyber war: the next threat to national security
and what to do about it. New York: Ecco, 290 p.
Currie, John H. 2008. “Public International Law”. Irwin Law Inc. Second Edition, Toronto,
619 p.
d’Aspremont et al. 2015. “Sharing Responsibility Between Non-State Actors and State in In-
ternational Law: Introduction”. Netherlands International Law Review, 62, 49-67.
Davis II, John S. et al. 2017. Stateless Attribution: Towards International Accountability in
Cyberspace. RAND Corporation, Santa Monica, California, 54 p.
Deibert, Ronald J., Rafal Rohozinski, and Masashi Crete-Nishihata. 2012. “Cyclones in Cy-
berspace: Information shaping and denial in the 2008 Russia-Georgia war”. Security Dia-
logue 43(1), 3-24.
Dinniss, Heather H. 2014. Cyber Warfare and the Laws of War. Cambridge: Cambridge Uni-
versity Press.
Dinstein, Yoram. 2002. “Computer Network Attacks and Self-Defense”. International Law
Studies, vol. 76, 99-119.
Edwards, Benjamin et al. 2017. “Strategic Aspects of Cyberattack, Attribution and Blame”.
PNAS, vol. 114, no. 11, 2825-2830.
Efrony, Dan, and Yuval Shany. 2018. “A Rule Book on the Shelf? Tallinn Manual 2.0 on
Cyberoperations and Subsequent State Practice”. The American Journal or Internatioanl
Law, 112:4, 583-657.
Egan, Brian J. 2017. “International Law and Stability in Cyberspace”. Berkeley Journal of In-
ternational Law, 35:1, 169-180.
Egloff, Florian J. 2019. “Contested Public Attributions of Cyber Incidents and the Role of Ac-
ademia”. Contemporary Security Policy, 27 p.
Egloff, Florian J, and Andreas Wender. 2019. “Public Attribution of Cyber Incidents”. CSS
Analyses in Security Policy, no. 244, 4 p.
Eichensehr, Kristen E. 2014. “Review of the The Tallinn Manual on the International Law
Applicable to Cyber Warfare (Michael N. Schmitt et., 2013)”. The American Journal of
International Law, vol. 108, no. 3, 585-589
48
Eichensehr, Kristen E. 2019a. “Decentralized Cyberattack Attribution”. AJIL Unbound, 113,
213-217.
Eichensehr, Kristen E. 2019b. “The Law & Politics of Cyberattack Attribution”. UCLA Law
Review, vol. 67, 64 p, (2020 forthcoming); UCLA School of Law, Public Law Research
Paper no. 19-36.
Eun, Yong-Soo, and Judith Sita Aßmann. 2016. “Cyberwar: Taking Stock of Security Warfare
in the Digital Age”. International Studies Perspectives 17, 343-360.
Finnemore, Martha, and Duncan B. Hollis. 2016. “Constructing Norms for Global Cybersecu-
rity”. The American Journal of International Law, vol. 110, No. 3, 425-479.
Finnemore, Martha, and Duncan B. Hollis. 2019. “Beyond Naming and Shaming: Accusations
and International Law in Cybersecurity”. European Journal of International Law (forth-
coming 2020); Temple University Legal Studies Research Paper No. 2019-14.
Finnemore, Martha, and Kathryn Sikkink. 1998. “International Norm Dynamics and Political
Change”. The IO Foundation and the Massachusetts Institute of Technology. International
Organization 52, 4, 887-917.
Geiß, Robin, and Henning Lahmann “Freedom and Security in Cyberspace: Shifting the Focus
away from Military Responses towards Non-Forcible Countermeasures and Collective
Threat-Prevention”. In: Ziolkowski, Katharina (ed.) Peacetime Regime for State Activities
in Cyberspace: International Law, International Relations and Diplomacy, 621-658.
Ginsburg, Tom. “Introduction to Symposium on Sovereignty, Cyberspace, and Tallinn Manual
2.0”. AJIL Unbound, vol 111, 205-206.
Glaser, Charles L. 1997. “The Security Dilemma Revisited”. World Politics 50(1), 171-202.
Glaser, Charles L. 2010. Rational Theory of International Politics: The Logic of Competition
and Cooperation. Princeton: Princeton University Press.
Goldsmith, Jack, and Tim Wu. 2006. “Who Controls the Internet? Illusions of Borderless
World”. Oxford University Press, 226 p.
Goldsmith, Jack. 2011. “Cybersecurity Treaties: A Skeptical View”. In Future Challenges in
National Security and Law, edited by Peter Berkowitz. Hoover Institution, Stanford Uni-
versity.
Gomez, Miguel Alberto. 2019. “Past Behavior and Future Judgements: Seizing and Freezing
in Response to Cyber Operations”. Journal of Cybersecurity, 5 (1).
Gomez, Miguel Alberto. 2019. “Sound the Alarm! Updating Beliefs and Degradative Cyber
Operations”. European Journal of International Security, 4, 190-208.
49
Gunitskiy, Vsevolod. 2011. “Security Dilemma”. In: Dowding, Keith (ed.). 2011. Encyclopae-
dia of Power. SAGE Publications, Inc.: Thousand Oaks, 595-597.
Hakimi, Monica. 2019. “Introduction to the Symposium on Cyber Attribution”. AJIL Unbound,
113, 189-190.
Hathaway, Oona A. et al. 2012. “The Law of Cyber Attack”. California Law Review, 100:817,
817-886.
Henkin, Louis. 1978. How Nations Behave: Law and Foreign Policy. Columbia University
Press, 400 p.
Henriksen, Anders. 2019. “The End of the Road for the UN GGE Process: the Future Regula-
tion of Cyberspace”. Journal of Cybersecurity, 5 (1).
Herz, John H. 1950. “Idealist Internationalism and the Security Dilemma”. World Politics, vol.
2, no. 2, 157-180.
Herz, John H. 1959. International Politics in the Atomic Age. New York: Columbia University
Press, 360 p.
Higgins, Rosalyn. 1994. “Problems and Process: International Law and How We Use It”. Ox-
ford: Claredon Press.
Hoffmann, Stanley. 1965. The State of War: Essays in the Theory and Practices of Interna-
tional Politics. New York: Praeger, 276 p.
Hoisington, Matthew. 2017. “Regulating Cyber Operations Through International Law: In, out
or against the Box?”. In: Taddeo M., Glorioso L. (eds) Ethics and Policies for Cyber Op-
erations. Philosophical Studies Series, 124.
Hollis, Martin, and Steve Smith. 1990. Explaining and Understanding International Relations.
Clarendon Press, Oxford University Press, 226 p.
Ingber, Rebecca. 2017. “Interpretation Catalyststs in Cyberspcace”. Texas Law Review, vol.
95, 1531-1555.
Jervis, Robert. 1978. “Cooperation Under the Security Dilemma”. World Politics, vol. 30, no.
2, 167-214.
Jervis, Robert. 2017. Perception and Misperception on International Politics. Princeton Uni-
versity Press, new edition, 445 p.
Joyner, Christopher C. 1998. “Recommended Measures Under the Antarctic Treaty: Hardening
Compliance with Soft International Law”. Michigan Journal of International Law, vol. 19,
issue 2, 401-443.
Keohane, Robert O. 1986. Neorealism and Its Critics. New York: Columbia University Press,
345 p.
50
Kilovaty, Ido. 2019. “The Elephant in the Room: Coercion”. AJIL Unbound, vol. 113, 87-91.
Koh, Harold H. 2012. “International Law in Cyberspace”. Harvard International Law Journal,
54, 12 p.
Libicki, Martin C. 2007. Conquest in Cyberspace: National Security and Information Warfare.
Cambridge University Press.
Libicki, Martin. 2016. “Is There a Cybersecurity Dilemma?”. The Cyber Defence Review, vol.
1, no. 1, 129-140.
Lin, Herbert. 2016. “Attribution of Malicious Cyber Incidents: From Soup to Nuts”. Hoover
Institution Aegis Paper Series on National Security, Technology, and Law, no. 1607, 57 p.
Lindsay, Jon R. 2013. “Stuxnet and the Limits of Cyber Warfare”. Security Studies 22:3, 365-
404.
Lindsay, Jon R. 2015. “Tipping the Scales: The Attribution Problem and the Feasibility of
Deterrence against Cyberattack”. Journal of Cybersecurity, 1(1), 53-67.
Lipson, Howard F. 2002. “Tracking and Tracing Cyber-Attacks: Technical Challenges and
Global Policy Issues”. Carnegie Mellon Software Engineering Institute, CMU/SEI-2002-
SR-009, 70 p.
Lupovici, Amir. 2016. “The ‘Attribution Problem’ and the Social Construction of ‘Violence’:
Taking Cyber Deterrence Literature a Step Forward”. International Studies Perspectives,
17, 322-342.
Lynn III, William J. 2010. “Defending a New Domain: The Pentagon’s Cyberstrategy”. For-
eign Affairs, vol. 89, no. 5, 97-108.
Mačák, Kubo. 2016. “Is the International Law of Cybersecurity in Crisis?”. 2016 8th Interna-
tional Conference on Cyber Conflict, NATO CCD COE Publications, Tallinn, 127-139.
Mačák, Kubo. 2017. “From Cyber Norms to Cyber Rules: Re-engaging States at Law-makers”.
Leiden Journal of International Law, 29 p.
Maness, Ryan C., and Brandon Valeriano. 2014. “The Dynamics of Cyber Conflict Between
Rival Antagonists, 2001-11”. Journal of Peace Research, vol. 51(3), 347-360.
Maness, Ryan C., and Brandon Valeriano. 2016. “The Impact of Cyber Conflict on Interna-
tional Interactions”. Armed Forces & Society, 42 (2), 301-323.
McKay, Angela et al. 2014. “International Cybersecurity Norms: Reducing Conflict in an In-
ternet-Dependent World”. Microsoft Corporation, 20 p.
Mearsheimer, John J. 2001.The Tragedy of Great Power Politics. New York: W. W. Norton &
Company, Inc., 555 p.
51
Montgomery, Evan Braden. 2006. “Breaking Out of the Security Dilemma: Realism, Reassur-
ance, and the Problem of Uncertainty”. International Security, vol. 31, no. 2, 151-185.
Moynihan, Harriet. 2019. The Application of International Law to State Cyberattacks: Sover-
eignty and Non-Intervention. Chatham House, The Royal Institute of International Affairs,
International Law Programme, 58 p.
Mueller, Milton et al. 2019. “Cyber Attribution: Can a New Institution Achieve Transnational
Credibility?” The Cyber Defense Review, vol. 4, no. 1, 107-122.
Osula, Anna-Maria and Henry Rõigas. (eds.). 2016. International Cyber Norms: Legal, Policy
& Industry Perspectives. NATO CCD COE Publications, Tallinn, 245 p.
Owens, William A., Kenneth W. Dam, and Herbet S. Lin. (eds.). 2009. Technology, Policy,
Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. Com-
mittee on Offensive Information Warfare, National Research Council. 390 p.
Payne, Christian, and Lorraine Finlay. 2017. “Addressing Obstacles to Cyber-attribution: A
Model Based on State Response to Cyber-attack”. The George Washington International
Law Review, vol. 49, 535-568.
Payne, Christian, and Lorraine Finlay. 2019. “The Attribution Problem and Cyber Armed At-
tacks.” AJIL Unbound, 113, 202-206.
Payne, Thomas. 2016. “Teaching Old Law New Tricks: Applying and Adapting State Respon-
sibility to Cyber Operations”. Lewis & Clark Law Review, vol. 20:2, 683-715.
Pipyros, Kosmas et al. 2018. “A New Strategy for Improving Cyber-attacks Evaluation in the
Context of Tallinn Manual”. Computers & Security, 74, 371-383
Rid, Thomas. 2013. Cyber War Will Not Take Place. Oxford University Press, Inc. 235p.
Rid, Thomas, and Ben Buchanan. 2015. “Attributing Cyber Attacks”. Journal of Strategic
Studies, 38:1-2, 4-37.
Roscini, Marco. 2010. “World Wide Warfare – Jus ad Bellum and the Use of Cyber Force”.
Max Planck Yearbook of United Nations Law, vol. 14, 85-130.
Schmitt, Michael N. 2011. “Cyber Operations and the Jus ad Bellum Revisited”. Villanova Law
Review, vol. 56, issue 3, 569-606.
Schmitt, Michael N., and Liis Vihul. 2014. “Proxy Wars in Cyberspace: The Evolving Inter-
national Law of Attribution”. Fletcher Security Review, vol. I, issue II Spring, 54-73.
Schmitt, Michael N., and Liis Vihul. 2016. “The Nature of International Law Cyber Norms”.
In: Osula, Anna-Maria and Henry Rõigas. 2016. International Cyber Norms: Legal, Policy
& Industry Perspectives. NATO CCD COE, Tallinn, 23-47.
52
Schmitt, Michael N., and Sean Watts. 2015. “The Decline of International Humanitarian Law
Opinio Juris and the Law of Cyber Warfare”. Texas International Law Journal, vol 50:2,
189-231.
Schmitt, Michael N., and Sean Watts. 2016. “Beyond State-Centrism: International Law and
Non-state Actors in Cyberspace”. Journal of Conflict & Security Law, 21 (3), 595-611.
Schmitt, Michael N. 2017b. “Grey Zones in the International Law of Cyberspace”. The Yale
Journal of International Law, vol. 42:2, 21 p.
Schulzke, Marcus. 2018. “The Politics of Attributing Blame for Cyberattacks and the Cost of
Uncertainty”. Perspective on Politics, 16 (4), 954-968.
Schweller, Randall L. 1996. “Neorealism’s Status-Quo Bias: What Security Dilemma?”. Secu-
rity Studies, 5:3, 90-121.
Shackelford, Scott J. 2008. “From Nuclear War to Net War: Analogizing Cyber Attacks in
International Law”. Berkeley Journal of International Law, vol. 27:1, 191-250.
Shackelford, Scott J. 2010. “State Responsibility for Cyber Attacks: Competing Standards for
a Growing Problem”. Conference on Cyber Conflict, CCD COE Publications, Tallinn, Es-
tonia, 197-208.
Sheldon, John. 2014. “Geopolitics and Cyber Power: why geography still matter”. American
Foreign Policy Interests 36(5), 286-93.
Shull, Aaron. 2008. “The Global Nuclear Safety and Security Regimes”. The Centre for Inter-
national Governance Innovation, Nuclear Energy Futures Papers, 28 p.
Singer, P.W., and Allan Friedman. 2014. Cybersecurity and Cyberwar: What Everyone Needs
to Know. Oxford University Press, 306 p.
Snyder, Francis. 1993. “The Effectiveness of European Community Law: Institutions, Pro-
cesses, Tools, and Techniques”. The Modern Law Review, vol. 56, 19-54.
Talmon, Stefan. 2005. “The Security Council as World Legislature”. The American Journal of
International Law, vol. 99, 175-193.
Tang, Shiping. 2009. “The Security Dilemma: A Conceptual Analysis”. Security Studies, 18,
587-623.
Thirlway, Hugh. 2019. The Sources of International Law. Oxford University Press, Second
Edition, 247 p.
Tikk, Eneken, Kadri Kaska, and Liis Vihul. 2010. International Cyber Incidents: Legal Con-
siderations. Cooperative Cyber Defence Centre of Excellence (CCD COE): Tallinn, Esto-
nia. 132 p.
53
Tran, Delbert. 2018. “The Law of Attribution: Rules for Attributing the Source of a Cyber-
Attack”. Yale Journal of Law and Technology, vol. 20, 376-441.
Wallace, David A., and Christopher W. Jacobs. 2019. “Conflict Classification and Cyber Op-
erations: Gaps, Ambiguities and Fault Lines”. University of Pennsylvania Journal of Inter-
national Law, 40 (3), 643-694.
Waltz, Kenneth N. 1979. Theory of International Politics. Philippines: Addison-Wesley Pub-
lishing Company, 251 p.
Waxman, Matthew C. 2011. “Cyber-Attacks and the Use of Force: Back to the Future of Article
2(4)” The Yale Journal of International Law, vol. 36, 421-459.
Wendt, Alexander. 1992. “Anarchy Is What States Make of It: The Social Construction of
Power Politics”. International Organization, vol. 46, no. 2, 391-425.
Wheeler, Nicholas, and Ken Booth. 2007. The Security Dilemma: Fear, Cooperation and Trust
in World Politics. Red Globe Press, 384 p.
Wu, Timothy S. 1997. “Cyberspace Sovereignty? – The Internet and the International System”.
Harvard Journal of Law & Technology, 10 (3), 647-666.
Xinmin, Ma. 2016. “Key Issues and Future Development of International Cyberspace Law”.
China Quarterly of International Strategic Studies, vol. 2, no. 1, 119-133.
Zerilli, Filippo M. 2010. “The Rule of Soft Law: An introduction”. Journal of Global and
Historical Anthropology, 56, 3-18.
Legal Sources and Official Documents
African Union. 2014. African Union Convention on Cybersecurity and Personal Data Protec-
tion. June 27. Available at: https://au.int/sites/default/files/treaties/29560-treaty-0048_-_af-
rican_union_convention_on_cyber_security_and_personal_data_protection_e.pdf.
Canada. 2014. Statement by the Chief Information Officer for the Government of Canada, July
29. Available at: https://www.canada.ca/en/news/archive/2014/07/statement-chief-infor-
mation-officer-government-canada.html.
Convention on International Civil Aviation. 1944. Chicago, December 7. Available at:
https://www.wipo.int/edocs/lexdocs/treaties/en/icao-ca/trt_icao_ca_001en.pdf.
Council of Europe. 2001. Convention on Cybercrime. ETS No. 185. November 23.
Council of Europe. 2003. Additional Protocol to the Convention on Cybercrime, concerning
the criminalisation of acts of a racist and xenophobic nature committed through computer
systems. ETS No. 189. January 28.
54
International Court of Justice. 1949. The Corfu Channel Case. Merits. Judgment of April 9th.
International Court of Justice. 1995. Legality of the Use by a State of Nuclear Weapons in
Armed Conflict (Request for Advisory Opinion Submitted by the World Health Organiza-
tion) and Legality of the Threat or Use of Nuclear Weapons (Request for Advisory Opinion
Submitted by the General Assembly of the United Nations). CR 95/25. Available at:
https://www.icj-cij.org/files/case-related/95/095-19951103-ORA-01-00-BI.pdf.
International Court of Justice. 1996. Reports of Judgements, Advisory Opinions and Orders.
Legality of the Threat or Use of Nuclear Weapons. Advisory Opinion of July 8.
International Court of Justice. 2007. Reports of Judgments, Advisory Opinions and Orders.
Case Concerning Application of the Convention on the Prevention and Punishment of the
Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro). Advisory Opinion
of February 26.
International Law Commission. Draft Articles on Responsibility of States for Internationally
Wrongful Acts, with Commentaries. 2001
International Law Commission. Draft Conclusions on Identification of Customary Interna-
tional Law, with Commentaries. 2018. A/73/10.
Japan. Information Security Policy Council. 2013. International Strategy on Cybersecurity Co-
operation. October 2. Available at: https://www.nisc.go.jp/eng/pdf/InternationalStrate-
gyonCybersecurityCooperation_e.pdf.
NATO. 2017. Warsaw Summit Communiqué. March 29. Available at:
https://www.nato.int/cps/en/natohq/official_texts_133169.htm.
Nielsen, Kirstjen M. 2018. “Rethinking Homeland Security in an Age of Disruption”. Septem-
ber 5, U.S. Department of Homeland Security. Available at:
https://www.dhs.gov/news/2018/09/05/secretary-nielsen-remarks-rethinking-homeland-
security-age-disruption.
Nuclear Energy Agency and Organization for Economic Cooperation and Development. 2006.
International Nuclear Law in the Post-Chernobyl Period. NEA No. 6146, 241 p.
République Française, Ministère des Armées. 2019. Droit International Appliqué aux Opéra-
tions dans le Cyberspace. Available at: https://www.defense.gouv.fr/content/down-
load/565895/9750877/file/Droit+internat+appliqué+aux+opérations+Cyberspace.pdf.
Schmitt, Michael N, editor. 2013. Tallinn Manual on the International Law Applicable to
Cyber Operations. New York, NY: Cambridge University Press.
Schmitt, Michael N, editor. 2017. Tallinn Manual 2.0 on the International Law Applicable to
Cyber Operations. New York, NY: Cambridge University Press.
55
Shanghai Cooperation Organization. 2009. Agreement between the Governments of the Mem-
ber States of the Shanghai Cooperation Organization on Cooperation in the Field of Inter-
national Information Security. June 16. Available at: https://ccdcoe-admin.aku.co/wp-con-
tent/uploads/2018/11/SCO-090616-IISAgreement.pdf.
United Kingdom. 2015. Chancellor’s Speech to GCHQ on Cybersecurity, November 17.
Available at: https://www.gov.uk/government/speeches/chancellors-speech-to-gchq-on-
cyber-security.
United Nations. 1946. Statute of the International Court of Justice. April 18.
United Nations. 1982. United Nations Convention on the Law of the Sea. December 10. Avail-
able at: https://www.un.org/depts/los/convention_agreements/texts/unclos/unclos_e.pdf.
United Nations. 1992. Constitution and Convention of the International Telecommunication
Union (with annexes and optional protocol). Vol. 1825, No. 31251. December 22.
United Nations. 1999. International Tribunal for the Prosecution of Persons Responsible for
Serious Violations of International Humanitarian Law Committed in the Territory of the
Former Yugoslavia since 1991. Prosecutor v. DuskoTadic. Case No. IT-94-1-A, July 15.
United Nations General Assembly. 2002. Developments in the Field of Information and Tele-
communications in the Context of International Security. UN Doc. A/RES/56/19.
United Nations General Assembly. 2002. Resolution adopted by the General Assembly on the
report of the Sixth Committee (A/56/589 and Corr.1). UN Doc. A/RES/56/83.
United Nations General Assembly. 2010. Group of Governmental Experts on Developments in
the Field of Information and Telecommunication in the Context of International Security.
UN Doc. A/65/201.
United Nations General Assembly. 2011. Letter dated 12 September 2011 from the Permanent
Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United
Nations addressed to the Secretary-General. A/66/359.
United Nations General Assembly. 2013. Group of Governmental Experts on Developments in
the Field of Information and Telecommunication in the Context of International Security.
UN Doc. A/68/98*.
United Nations General Assembly. 2015. Group of Governmental Experts on Developments in
the Field of Information and Telecommunication in the Context of International Security.
UN Doc. A/10/174.
United Nations General Assembly. 2015. Letter dated 9 January 2015 from the Permanent
Representatives of China, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and
Uzbekistan to the United Nations addressed to the Secretary General. A/69/723.
56
United Nations General Assembly. 2018. Developments in the field of information and tele-
communications in the con-text of international security. UN Doc. A/C.1/73/L.27*.
United Nations Legislative Series. 2012. Material on the Responsibility of States for Interna-
tionally Wrongful Acts. UN Doc. ST/LEG/SER.B/25.
United States, Secretary of Defense. 2006. The National Military Strategy for Cyberspace Op-
erations (U). Available at: https://www.hsdl.org/?abstract&did=35693.
United States, Department of Justice. May 19 2014. U.S. Charges Five Chinese Military Hack-
ers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Com-
mercial Advantage. Available at: https://www.justice.gov/opa/pr/us-charges-five-chinese-
military-hackers-cyber-espionage-against-us-corporations-and-labor.
United States Senate. January 5 2017. Foreign Cyber Threats to the United States. Available
at: https://www.armed-services.senate.gov/hearings/17-01-05-foreign-cyber-threats-to-
the-united-states.
United States. White House. May 2011. International Strategy for Cyberspace: Prosperity,
Security, and Openness in a Networked World.
Websites
Allison, Graham. 2018. “Review: An Uneasy Unpeace”. The Wall Street Journal, Jan 21.
Available at https://www.wsj.com/articles/review-an-uneasy-unpeace-1516566192.
Barnes, Julian E. 2016. “NATO Recognizes Cyberspace as New Frontier in Defense”. The Wall
Street Journal, June 14. Available at: https://www.wsj.com/articles/nato-to-recognize-cy-
berspace-as-new-frontier-in-defense-1465908566.
Brunnée, Jutta. 2018. “Challenging International Law: What’s new?”. OpinioJuris, November
13. Available at: https://opiniojuris.org/2018/11/13/challenging-international-law-whats-
new/.
Chernenko, Elena, Oleg Demidov, and Fyodor Lukyanov. 2018. “Increasing International Co-
operation in Cybersecurity and Adapting Cyber Norms”. Council on Foreign Relations,
February 23. Available at: https://www.cfr.org/report/increasing-international-coopera-
tion-cybersecurity-and-adapting-cyber-norms.
Corera, Gordon. 2016. “How France’s TV5 was Almost Destroyed by ‘Russian Hackers’”.
BBC, October 10. Available at: https://www.bbc.com/news/technology-37590375.
Fazzini, Kate. 2018. “Power outages, bank runs, changed financial data: Here are the ‘cyber
9/11’ scenarios that really worry the experts”. CNBC, November 18. Available at:
57
https://www.cnbc.com/2018/11/18/cyber-911-scenarios-power-outages-bank-runs-
changed-data.html.
Fryer-Biggs, Z. 2012. “DoD’s New Cyber Doctrine: Panetta Defines Deterrence, Preemption
Strategy”, Defense News, October 13. Available at: https://archive.defensenews.com/arti-
cle/20121013/DEFREG02/310130001/DoD-8217-s-New-Cyber-Doctrine.
Goldsmith, Jack, and Robert D. Williams. 2018. “The Failure of the United States’ Chinese-
Hacking Indictment Strategy”. Lawfare, December 28. Available at: https://www.lawfare-
blog.com/failure-united-states-chinese-hacking-indictment-strategy.
Greenemeier, Larry. 2011. “Seeking Address: Why Cyber Attacks Are So Difficult to Trace
Back to Hackers”. Scientific American, June 11. Available at: https://www.scientificamer-
ican.com/article/tracking-cyber-hackers/.
Harold, Scott W. 2016. “The U.S.-China Cyber Agreement: A Good First Step”. The Rand
Blog, August 1st. Available at: https://www.rand.org/blog/2016/08/the-us-china-cyber-
agreement-a-good-first-step.html.
Jinghia, Lyu. 2019. “What are China’s Cyber Capabilities and Intentions?”. Carnegie Endow-
ment for International Peace, April 1st. Available at: https://carnegieendow-
ment.org/2019/04/01/what-are-china-s-cyber-capabilities-and-intentions-pub-78734.
Korab-Karpowicz, W. Julian. 2017. “Political Realism in International Relations”. The Stan-
ford Encyclopaedia of Philosophy, May 24. Available at: https://plato.stanford.edu/en-
tries/realism/intl-relations/#Bib.
Korzak, Elaine. 2017. “UN GGE on Cybersecurity: The End of an Era?”. The Diplomat, July
31. Available at: https://thediplomat.com/2017/07/un-gge-on-cybersecurity-have-china-
and-russia-just-made-cyberspace-less-safe/.
Leyden, John. 2017. “WikiLeaks exposes CIA anti-forensics tool that makes Uncle Sam seem
fluent in enemy tongues”. The Register, March 31. Available at: https://www.theregis-
ter.co.uk/2017/03/31/wikileaks_cia/.
Marks, Joseph. 2015. “U.N. body agrees to U.S. norms in cyberspace”. Politico, July 09. Avail-
able at: https://www.politico.com/story/2015/07/un-body-agrees-to-us-norms-in-cyber-
space-119900.
McConnell, Mike. 2010. “Mike McConnell on how to win the cyber-war we’re losing”. Feb-
ruary 28. Available at: https://cyberdialogue.ca/wp-content/uploads/2011/03/Mike-
McConnell-How-to-Win-the-Cyberwar-Were-Losing.pdf.
Nakashima, Ellen. 2015. “Following U.S. indictments, China Shifts commercial hacking away
from military to civilian agency”. The Washington Post, November 30. Available at:
58
https://www.washingtonpost.com/world/national-security/following-us-indictments-chi-
nese-military-scaled-back-hacks-on-american-industry/2015/11/30/fcdb097a-9450-11e5-
b5e4-279b4501e8a6_story.html.
Smith, Brad. 2017. “The need for a digital Geneva Convention”. Microsoft, February 14. Avail-
able at: https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-con-
ventio/.
Stone, Adam. 2019. “How Leon Panetta’s ‘Cyber Pearl Harbour’ Warning Shaped Cyber Com-
mand”. Fifth Domain, July 30. Available at: https://www.fifthdomain.com/opin-
ion/2019/07/30/how-leon-panettas-cyber-pearl-habor-warning-shaped-cyber-command/.
Traynor, Ian. 2007. “Russia accused of unleashing cyberwar to disable Estonia”. The Guard-
ian, May 17. Available at: https://www.theguardian.com/world/2007/may/17/top-
stories3.russia.
Wright, Jeremy. 2018. “Speech: Cyber and International Law in the 21st Century”. May 23.
Available at: https://www.gov.uk/government/speeches/cyber-and-international-law-in-
the-21st-century.
Zetter, Kim. 2014a. “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon”.
Wired, November 3. Available at: https://www.wired.com/2014/11/countdown-to-zero-
day-stuxnet/.
Zetter, Kim. 2014b. “The Evidence that North Korea Hacked Sony is Flimsy”. Wired, Decem-
ber 17. Available at: https://www.wired.com/2014/12/evidence-of-north-korea-hack-is-
thin/.
Zetter, Kim. 2016. “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid”.
Wired, March 03. Available at: https://www.wired.com/2016/03/inside-cunning-unprece-
dented-hack-ukraines-power-grid/.